Dynamic CFI using line-of-code behavior and relation models

ABSTRACT

Disclosed herein are techniques for analyzing control-flow integrity based on functional line-of-code behavior and relation models. Techniques include receiving data based on runtime operations of a controller; constructing a line-of-code behavior and relation model representing execution of functions on the controller based on the received data; constructing, based on the line-of-code behavioral and relation model, a dynamic control flow integrity model configured for the controller to enforce in real-time; and deploying the dynamic control flow integrity model to the controller.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.17/350,011, filed on Jun. 17, 2021, currently pending, which is acontinuation of U.S. patent application Ser. No. 17/094,993, filed onNov. 11, 2020, which issued as U.S. Pat. No. 11,074,168 on Jul. 27,2021, which is a continuation of U.S. patent application Ser. No.16/828,800, filed on Mar. 24, 2020, which issued as U.S. Pat. No.10,878,082 on Dec. 29, 2020, which claims priority to U.S. ProvisionalPatent App. No. 62/823,131, filed on Mar. 25, 2019. The disclosures ofthe above-referenced applications are incorporated herein by referencein their entireties.

TECHNICAL FIELD

The subject matter described herein generally relates to techniques forproviding analysis and security to vehicle software and systems, as wellas to various other types of Internet-of-Things (IoT) ornetwork-connected systems that utilize controllers such as electroniccontrol units (ECUs) or other controllers. For example, certaindisclosed embodiments are directed to generating and signingline-of-code behavior and relation models. These techniques may includeproving a status of software functionality change following a change tocode. Some techniques may involve identifying software interdependenciesthrough line-of-code behavior and relation models, verifying a softwaremalfunction source among disparate code sources, and/or identifyingsoftware dependencies through line-of-code behavior and relation models.Other techniques may use line-of-code behavior and relation models toanticipate the impact of hardware changes. Further, some techniques mayrelate to verifying the integrity of controller software updates orproviding for dynamic control flow integrity, through line-of-codebehavior and relation models. As yet another example, some techniquesmay provide for dynamic visualization of code execution throughline-of-code behavior and relation models.

BACKGROUND

Modern vehicles and other Internet of. Things (IoT) systems oftenutilize many different controllers, which may need software changes fromtime to time. These software changes present many challenges. Forexample, to accept a software change over the air in conventionalsystems, a controller may have a communication channel that may bevulnerable to attack, such as through the introduction of malicioussoftware files. In some scenarios, such vulnerability may be amplifiedby a lack of authentication of a software change (e.g., update, upgrade,patch, fix, recalibration, configuration management, etc.) at a device,such as at a controller. As another example, software developers mayhave difficulty in determining the functional effects caused by codechanges, which may extend beyond a single component to other componentsand even entire systems. This may lead to unintended changes in asystem, which in some cases may cripple functionality or even put a userin danger for example, where a critical component in a vehicle iscompromised). In many conventional settings, it may proveresource-intensive (if even possible) to pinpoint differences infunctional effects between pieces of software, as well as to determinepropagating effects of such differences. Moreover, confirming whether asoftware update preserves functional equivalence may be difficult toaccomplish through conventional means, and may require lengthy processesusing large amounts of data and bandwidth to make such confirmations. Inmany cases, current methods may provide developers with only a cursoryunderstanding of functional impacts, or with line-of-code focuseddisplays that fail to emphasize important functional information, makingit a time and resource intensive process for a user to appreciatepossible functional changes that may result from a change in code.

Conventional software analysis and security techniques are not currentlyequipped to handle these issues. For example, they lack adequatetechniques for determining functional changes caused by new code,determining far-reaching impacts of functional changes, and ensuringfunctional consistency while preventing installation of functionallydisruptive, unauthorized, and/or malicious software updates. Moreover,many current methods also fail to inform software developers offunctional changes, regardless of their degree of disruptiveness.

In view of the technical deficiencies of current systems, there is aneed for improved systems and methods for providing comprehensivesecurity protections for controllers and systems. The techniquesdiscussed below offer many technological improvements in security,efficiency, verifiability, and usability. For example, according to sometechniques, code for a controller may be functionally analyzed and aline-of-code behavior and relation model may be generated. A signatureoperation may be performed on the line-of-code behavior and relationmodel, which may allow for rapid assessment of the line-of-code behaviorand relation model relative to code or another model, without the needto scrutinize the entire model.

Related advantages may result from disclosed methods involving thefunctional differential comparison two line-of-code behavior andrelation models. Such a comparison may result in a status and/ordetermined degree of functional equivalence. This information may beused by devices, systems, and/or users to make decisions regardingsoftware changes.

Line-of-code behavior and relation mode a as described herein may alsoallow for the detection of software interdependencies. For example,according to some disclosed techniques, functional line-of-code behaviorand relation models may be analyzed, such as in conjunction with apossible software update, to identify interdependencies betweendifferent parts of code on the same controller.

As yet another advantage, disclosed techniques permit the identificationof code or a device impacted by a potential software change, as well asan associated source. Using this identification, notifications may besent to an associated source to ensure faster system or device healing.

Disclosed embodiments also relate to anticipating impacts of hardwarechanges. For example, a new piece of hardware may prompt an analysisprocess that leverages line-of-code behavior and relation models todetermine a status of functional equivalence for the new piece ofhardware. Based on the determined status, other responsive actions maybe used to allow for more seamless implementation of the hardware into asystem.

As with identifying software interdependencies, identifying softwaredependencies may also be achieved with the disclosed techniques. Forexample, multiple line-of-code behavior and relation models may be usedto follow the impact of code changes throughout a system, allowing forearly identification of unintended consequences within a system, and forthe safe deployment of new software.

Disclosed embodiments also relate to verifying the integrity ofcontroller software updates. For example, a line-of-code behavior andrelation model and/or signature value may be used by a controller toconfirm that a received update is legitimate and appropriate forexecution. In some cases, a controller may only receive a signaturevalue and compute its own line-of-code behavior and relation model andsignature value, reducing strain on over-the-air bandwidth while stillallowing the controller to ensure that a received software change willnot interfere with its operations.

Further, some disclosed techniques allow for dynamic control flowintegration using line-of-code behavior and relation models. Forexample, a line-of-code behavior and relation model may be based onruntime operations of a controller, and also used to construct a dynamiccontrol flow integrity model, which may be deployed to a controller. Inthis manner, functional analysis of runtime operations may be used toprovide for continued secure operation of a controller.

Moreover, some disclosed techniques provide for improved visualizationof functional changes within a system or device by constructing aline-of-code behavior and relation model. For example, visual depictionsof line-of-code behavior and relation and models may be displayed andmay dynamically change based on user interaction, code changes, devicechanges, and the like. Such depictions may condense information thatwould otherwise be time and resource intensive to analyze.

SUMMARY

So disclosed embodiments describe non-transitory computer readablemedia, systems, and methods for using line-of-code behavior and relationmodels. For example, in an exemplary embodiment, a non-transitorycomputer readable medium may include instructions that, when executed byat least one processor, cause the at least one processor to performoperations for generating and signing line-of-code behavior and relationmodels. The operations may comprise identifying executable code for acontroller; performing a functional analysis of the executable code todetermine a plurality of functions associated with the executable codeand a plurality of relationships between the plurality of functions;generating, based on the determined plurality of functions and pluralityof relationships, a line-of-code behavior and relation model for theexecutable code; performing a signature operation on the generatedline-of-code behavior and relation model to produce a unique signaturevalue associated with at least one of: the line-of-code behavior andrelation model or a functional block of the line-of-code behavior andrelation model; and linking the unique signature value to theline-of-code behavior and relation model.

In accordance with further embodiments, the operations further compriseassigning the unique signature value to the executable code.

In accordance with further embodiments the operations further comprisesending the line-of-code behavior and relation model with the assignedsignature value to a remote device.

In accordance with further embodiments, the executable code is asoftware change delta file.

In accordance with further embodiments, the signature value is a hashvalue.

In accordance with further embodiments, the generating of theline-of-code behavior and relation model is performed through a machinelearning process.

In accordance with further embodiments, the machine learning process isa statistical classification process.

In accordance with further embodiments, the machine learning process isa dynamic analysis process.

In accordance with further embodiments, the machine learning processincludes determining a sequence of functions associated with theexecutable code.

In accordance with further embodiments, the machine learning processincludes determining a relationship between at least two of thefunctions of the sequence.

Further disclosed embodiments include a method for generating andsigning line-of-code behavior and relation models. The method maycomprise identifying executable code for a controller; performing afunctional analysis of the executable code to determine a plurality offunctions associated with the executable code and a plurality ofrelationships between the plurality of functions; generating, based onthe determined plurality of functions and plurality of relationships, aline-of-code behavior and relation model for the executable code;performing a signature operation on the generated line-of-code behaviorand relation model to produce a unique signature value associated withat least one of: the line-of-code behavior and relation model or afunctional block of the line-of-code behavior and relation model; andlinking the unique signature value to the line-of-code behavior andrelation model.

In accordance with further embodiments, the method further comprisesassigning the unique signature value to the executable code.

In accordance with further embodiments, the method further comprisessending the line-of-code behavior and relation model with the assignedsignature value to a remote device.

In accordance with further embodiments, the executable code is asoftware change delta file.

In accordance with further embodiments, the unique signature value is acryptographic nonce number.

In accordance with further embodiments, the controller is a virtualcontroller.

In accordance with further embodiments, the controller is an electroniccontrol unit (ECU) of a vehicle.

In accordance with further embodiments, linking the unique signaturevalue comprises compressing the relation model.

In accordance with further embodiments, the signature operation is basedon a number of the functions associated with the executable code or atype of at least one of the functions.

In accordance with further embodiments, the signature operation is basedon a number of the relationships or functions associated with at leastone relationship.

In another exemplary embodiment, non-transitory computer readable mediummay include instructions that, when executed by at least one processor,cause the at least one processor to perform operations for using aline-of-code behavior and relation model to determine softwarefunctionality changes. The operations may comprise identifying a firstportion of executable code and a second portion of executable code;accessing a first line-of-code behavior and relation model representingexecution of functions of the first portion of executable code;constructing, based on the second portion of executable code, a secondline-of-code behavior and relation model representing execution offunctions of the second portion of executable code; performing afunctional differential comparison of the first line-of-code behaviorand relation model to the second line-at-code behavior and relationmodel; determining, based on the functional differential comparison, astatus of functional equivalence between the first portion of executablecode and the code portion of executable code; and generating, based onthe determined difference, a report identifying the status of functionalequivalence.

In accordance with further embodiments, the status of functionalequivalence includes a status of equivalent or not equivalent.

In accordance with further embodiments, the status of functionalequivalence includes a degree of equivalence.

In accordance with further embodiments, the operations further comprise:determining that the degree of equivalence does not reach a threshold;and based on determining that the degree of equivalence does not reach athreshold, generating a prompt.

In accordance with further embodiments, the comparison includesdetermining whether functionality of the first portion of executablecode falls within an operational envelope related to at least one of aCPU cycle, a memory requirement, speed of execution, or a functionalityrelationship.

In accordance with further embodiments, at least one of the execution offunctions of the first portion of executable code or the execution offunctions of the second portion of executable code is an execution on aphysical controller.

In accordance with further embodiments, at least one of the execution offunctions of the first portion of executable code or the execution offunctions of the second portion of executable code is an execution on avirtualized controller.

In accordance with further embodiments, the functional differentialcomparison is based on at least one of a difference of: response time,sequence of function execution, or memory leakage.

In accordance with further embodiments, when a result of the functionaldifferential comparison exceeds a threshold, the operations furthercomprise determining, based on the difference, an estimated probabilityof downtime.

In accordance with further embodiments, the estimated probability ofdowntime is expressed as probability of downtime in a defined timeperiod.

In accordance with further embodiments, the operations further compriselinking at least one of the functions of the second portion ofexecutable code to at least a segment of the second portion ofexecutable code.

In accordance with further embodiments, the accessed line-of-codebehavior and relation model was generated according to a machinelearning process.

In accordance with further embodiments, the operations further comprisedetermining, based on the functional differential comparison that athird portion of executable code is dormant.

In accordance with further embodiments, the first or second line-of-codebehavior and relation model was generated dynamically.

In accordance with further embodiments, the first con line-of-codebehavior and relation model was generated statically.

In accordance with further embodiments, the report further identifies atleast one instance of functionality drift.

Further disclosed embodiments include a method for using a line-of-codebehavior and relation model to determine software functionality changes.The method may comprise identifying a first portion of executable codeand a second portion of executable code; accessing a first line-of-codebehavior and relation model representing execution of functions of thefirst portion of executable code: constructing, based on the secondportion of executable code, a second line-of-code behavior and relationmodel representing execution of functions of the second portion ofexecutable code; performing a functional differential comparison of thefirst line-of-code behavior and relation model to the secondline-of-code behavior and relation model; determining, based on thefunctional differential comparison a status of functional equivalencebetween the first portion of executable code and the code portion ofexecutable code; and generating, based on the determined difference, areport identifying the functional equivalence.

In accordance with further embodiments, the status of functionalequivalence includes a status of equivalent or not equivalent.

In accordance with further embodiments the comparison includesdetermining whether functionality of the first portion of executablecode falls within an operational envelope related to at least one of aCPU cycle, a memory requirement, speed of execution, or a functionalityrelationship.

In accordance with further embodiments, the accessed line-of-codebehavior and relation model was generated according to a machinelearning process.

In another exemplary embodiment, a non-transitory computer readablemedium may include instructions that, when executed by at least oneprocessor, cause the at least one processor to perform operations foridentifying software interdependencies based on functional line-of-codebehavior and relation models. The operations may comprise identifying afirst portion of executable code associated with a first controller,accessing a functional line-of-code behavior and relation modelrepresenting functionality of the first portion of executable code and asecond portion of executable code; determining, based on the functionalline-of-code behavior and relation model, that the second portion ofexecutable code is interdependent with the first portion of executablecode; and generating, based on the determined interdependency, a reportidentifying the interdependent first portion of executable code andsecond portion of executable code.

In accordance with further embodiments, the operations further compriseidentifying a first signature uniquely identifying the first portion ofexecutable code and a second signature uniquely identifying the secondportion of executable code.

In accordance with further embodiments, the first and second portions ofexecutable code are implemented on a virtualized controller.

In accordance with further embodiments, the second portion of executablecode is associated with the first controller.

In accordance with further embodiments, the second portion of executablecode is associated with a second controller.

In accordance with further embodiments, the first and second controllersare part of the same device.

In accordance with further embodiments, the device is at least a portionof a vehicle.

In accordance with further embodiments, the operations further comprisedetermining a functional impact of the first portion of executable codeon the second portion of executable code.

In accordance with further embodiments, a first sensitivity value isassociated with the first portion of executable code; a secondsensitivity value associated with the second portion of executable code;and the functional impact is based on the first or second sensitivityvalues.

In accordance with further embodiments, the functional impact isincluded in the generated report.

In accordance with further embodiments, the operation further comprisegenerating a visual depiction of the determined interdependency.

In accordance with further embodiments, the operations further comprisedetermining that the functional impact exceeds a threshold, wherein thevisual depiction is based on the determination that the functionalimpact exceeds the threshold.

In accordance with further embodiments, the visual depiction includes avisual element of the determined interdependency, a visual element ofthe first portion of executable code, a visual element of the secondportion of executable code, and visual elements of other portions ofexecutable code.

Further disclosed embodiments include a method for identifying softwareinterdependencies based on functional line-of-code behavior and relationmodels. The method may comprise identifying a first portion ofexecutable code associated with a first controller; accessing afunctional line-of-code behavior and relation model representingfunctionality of the first portion of executable code and a secondportion of executable code; determining, based on the functionalline-of-code behavior and relation model, that the second portion ofexecutable code is interdependent with the first portion of executablecode; and generating, based on the determined interdependency, a reportidentifying the interdependent first portion of executable code andsecond portion of executable code.

In accordance with further embodiments, the method further comprisesidentifying a first signature uniquely identifying the first portion ofexecutable code and a second signature uniquely identifying the secondportion of executable code.

In accordance with further embodiments, the second portion of executablecode is associated with the first controller.

In accordance with further embodiments, the second portion of executablecode is associated with a second controller.

In accordance with further embodiments, the method further comprisesdetermining a functional impact of the first portion of executable codeon the second portion of executable code.

In accordance with further embodiments, a first sensitivity value isassociated with the first portion of executable code; second sensitivityvalue is associated with the second portion of executable code; and thefunctional impact is based on the first or second sensitivity values.

In accordance with further embodiments, the functional impact isincluded in the generated report.

In another exemplary embodiment, a non-transitory computer readablemedium may include instructions that, when executed by at least oneprocessor, cause the at least one processor to perform operations foridentifying sources of software-based malfunctions. The operations maycomprise identifying a potential software malfunction in a system, thesystem having multiple code sets associated with a plurality ofdifferent software sources; accessing a line-of-code behavior andrelation model representing execution of functions of the code sets;identifying, based on the line-of-code behavior and relation model, acode set determined to have the potential to cause, a least in part, thepotential software malfunction; and determining a source identifier ofthe identified code set.

In accordance with further embodiments, the multiple code sets areassociated with at least one controller of the system.

In accordance with further embodiments, the accessed line-of-codebehavior and relation model was generated dynamically based on dataassociated with real-time operations of the at least one controller.

In accordance with further embodiments, the line-of-code behavior andrelation model represents execution of functions of the identified codeset.

In accordance with further embodiments, the multiple code sets aredeveloped by a plurality of different software developers.

In accordance with further embodiments, each of the plurality ofdifferent software developers has a unique source identifier.

In accordance with further embodiments, the operations further comprisesending a report of the potential software malfunction to a remotesource associated with the identified source identifier.

In accordance with further embodiments, the identification of thepotential software malfunction in the system is based on a recentsoftware change to a component of the system.

In accordance with further embodiments, the software change wasimplemented on the component using a delta file.

In accordance with further embodiments, the operations further comprisesending a report of the potential software malfunction to a remotesource associated with the identified source identifier, the delta fileis associated with a unique identifier, and the unique identifier isincluded in the report.

In accordance with further embodiments the operations further comprisereverting software on the component by delinking the delta file fromcurrent software on the component.

In accordance with further embodiments, the system is a virtual system.

Further disclosed embodiments include a method for identifying sourcesof software-based malfunctions. The method may comprise identifying apotential software malfunction in a system, the system having multiplecode sets associated with a plurality of different software sources;accessing a line-of-code behavior and relation model representingexecution of functions of the code sets; identifying, based on theline-of-code behavior and relation model, a code set determined to havecaused, a least in part, the potential software malfunction; anddetermining a source identifier of the identified code set.

In accordance with further embodiments, the multiple code sets areassociated with at least one controller of the system.

In accordance with further embodiments, the accessed line-of-codebehavior and relation model was generated dynamically based on dataassociated with real-time operations of the at least one controller.

In accordance with further embodiments, the line-of-code behavior andrelation model represents execution of functions of the identified codeset.

In accordance with further embodiments, the multiple code sets aredeveloped by a plurality of different software developers.

In accordance with further embodiments each of the plurality ofdifferent software developers has a unique source identifier.

In accordance with further embodiments, the operations further comprisesending a report of the potential software malfunction to a remotesource associated with the identified source identifier.

It accordance with further embodiments, the identification of thepotential software malfunction in the system is based on a delta fileexecuted in the system.

In another exemplary embodiment, a non-transitory computer readablemedium may include instructions that, when executed by at least oneprocessor, cause the at least one processor to perform operations foranalyzing hardware change impacts based on at least one functionalline-of-code behavior and relation model. The operations may compriseidentifying a new hardware component associated with a system; accessinga first line-of-code behavior and relation model representing executionof functions using the new hardware component; accessing a secondline-of-code behavior and relation model representing execution offunctions on a previous hardware component of the system; performing afunctional differential comparison of the first line-of-code behaviorand relation model to the second line-of-code behavior and relationmodel; determining, based on the functional differential comparison, astatus of functional equivalence between the new hardware component andthe previous hardware component; and generating, based on the determineddifference, a report identifying the status of functional equivalence.

In accordance with further embodiments, the second line-of-code behaviorand relation model was generated dynamically based on data associatedwith real-time operations of the previous hardware component.

In accordance with further embodiments, the first line-of-code behaviorand relation model was generated based on data associated with simulatedoperations of the new hardware component.

In accordance with further embodiments, the new hardware component is acontroller.

In accordance with further embodiments, the system is a vehicle and thecontroller is an electronic control unit (ECU).

In accordance with further embodiments, the operations further comprise,based on the determined difference, determining that the new hardwarecomponent is unauthorized.

In accordance with further embodiments, the operations further comprise,based on determining that the new hardware component is unauthorized,blocking operation of the new hardware component.

In accordance with further embodiments, the controller is a firstcontroller, the operations further comprise determining that at leastone hardware component is a second controller dependent with the firstcontroller.

In accordance with further embodiments, the previous hardware componentis to be replaced by the new hardware component.

In accordance with further embodiments, the operations further comprisedetermining that at least one hardware component is interdependent withthe new hardware component.

In accordance with further embodiments, the operations further comprise:accessing a third line-of-code behavior and relation model, the thirdmodel representing execution of functions on at least one dependenthardware component and the previous hardware component; generating afourth line-of-code behavior and relation model, the fourth modelrepresenting execution of functions on the at least one dependenthardware component and the new hardware component; performing afunctional differential comparison of the third model to the fourthmodel; determining, based on the functional differential comparison, achange in functional equivalence within the system; and generating,based on the determined difference, a report identifying the change.

Further disclosed embodiments include a method for analyzing hardwarechange impacts based on at least one functions line-of-code behavior andrelation model. The method may comprise identifying a new hardwarecomponent associated with a system; accessing a first line-of-codebehavior and relation model representing execution of functions usingthe new hardware component; accessing a second line-of-code behavior andrelation model representing execution of functions on a previoushardware component of the system; performing a functional differentialcomparison of the first line-of-code behavior and relation model to thesecond line-of-code behavior and relation model; determining, based onthe functional differential comparison, a status of functionalequivalence between the new hardware component and the previous hardwarecomponent, and generating, based on the determined difference, a reportidentifying the status of functional equivalence.

In accordance with further embodiments, the second line-of-code behaviorand relation model was generated dynamically based on data associatedwith real-time operations of the previous hardware component.

In accordance with further embodiments, the first line-of-code behaviorand relation model was generated based on data associated with simulatedoperations of the new hardware component.

In accordance with further embodiments, the operations further comprise,based on the determined difference, determining that the new hardwarecomponent is unauthorized.

In accordance with further embodiments, the operations further comprise,based on determining that the new hardware component is unauthorized,blocking operation of the new hardware component.

In accordance with further embodiments, the controller is a firstcontroller, and the operations further comprise determining that atleast one hardware component is a second controller dependent with thefirst controller.

In accordance with further embodiments, the previous hardware componentis to be replaced by the new hardware component.

In accordance with further embodiments, the operations further comprisedetermining that at least one hardware component is interdependent withthe new hardware component.

In accordance with further embodiments, the operations further comprise:accessing a third line-of-code behavior and relation model, the thirdmodel representing execution of functions on at least one dependenthardware component and the previous hardware component; generating afourth line-of-code behavior and relation model, the fourth modelrepresenting execution of functions on the at least one dependenthardware component and the new hardware component, performing afunctional differential comparison of the third model to the fourthmodel; determining, based on the functional differential comparison, achange in functional equivalence within the system; and generating,based on the determined difference a report identifying the change.

In another exemplary embodiment, a non-transitory computer readablemedium may include instructions that, when executed by at least oneprocessor, cause the at least one processor to perform operations foridentifying software dependencies based on functional line-of-codebehavior and relation models. The operations may comprise accessing afirst line-of-code behavior and relation model representing execution offunctions of a first portion of executable code, the first portion ofexecutable code being associated with a first symbol; detecting a changeto the first portion of executable code; constructing, based on thechanged first portion of executable code, a second line-of-code behaviorand relation model representing execution of functions of the changedfirst portion of executable code; determining, based on the constructedsecond model, a dependency between (i) the changed first portion ofexecutable code or the first symbol and (ii) a second symbol; andgenerating, based on the determined difference, a report identifying thedependency.

In accordance with further embodiments, the second symbol is at leastone of a variable, buffer, function, call, object, or segment of code.

In accordance with further embodiments, the operations further comprisedetermining an impact to the second symbol caused by the changed firstportion of executable code, the report further identifying the impact.

In accordance with further embodiments a first sensitivity value isassociated with the first portion of executable code; a secondsensitivity value is associated with the second symbol; and the impactis based on the first or second sensitivity values.

In accordance with further embodiments, the first portion of executablecode is configured to execute on a first controller and the secondsymbol is associated with a second controller.

In accordance with further embodiments, the operations further comprisedetermining the dependency by operating the second model remotely fromthe first and second controllers.

In accordance with further embodiments, the first and second controllersare part of a group of electronic control units (ECUs) in a vehicle.

In accordance with further embodiments, the dependency includes astrength of association between the first symbol and the second symbol.

In accordance with further embodiments, the strength of association isbased on a frequency with which the first symbol interacts with thesecond symbol.

In accordance with further embodiments, the strength of association isbased on the first portion of executable code being configured to callmodify the second symbol.

In accordance with further embodiments, the operations further comprisegenerating a visual depiction of the determined dependency.

Further disclosed embodiments include a method for identifying softwaredependencies based on functional line-of-code behavior and relationmodels. The method may comprise accessing a first line-of-code behaviorand relation model representing execution of functions of a firstportion of executable code, the first portion of executable code beingassociated with a first symbol; detecting a change to the first portionof executable code; constructing, based on the changed first portion ofexecutable code, a second line-of-code behavior and relation modelrepresenting execution of functions of the changed first portion ofexecutable code; determining, based on the constructed second model, adependency between (i) the changed first portion of executable code orthe first symbol and (ii) a second symbol; and generating, based on thedetermined difference, a report identifying the dependency.

In accordance with further embodiments, the second symbol is at leastone of a variable, buffer, function, call, object, or segment of code.

In accordance with further embodiments, the operations further comprisedetermining an impact to the second symbol caused by the changed firstportion of executable code, the report further identifying the impact.

In accordance with further embodiments, a first sensitivity value isassociated with the first portion of executable code; a secondsensitivity value is associated with the second symbol; and the impactis based on the first or second sensitivity values.

In accordance with further embodiments, the first portion of executablecode is configured to execute on a first controller and the secondsymbol is associated with a second controller.

In accordance with further embodiments, the first and second controllersare part of a group of electronic control units (ECUs) in a vehicle.

In accordance with further embodiments, the dependency includes astrength of association between the first symbol and the second symbol.

In accordance with further embodiments, the strength of association isbased on a frequency with which the first symbol interacts with thesecond symbol.

In accordance with further embodiments, the strength of association isbased on the first portion of executable code being configured to callor modify the second symbol.

In another exemplary embodiment, a non-transitory computer readablemedium may include instructions that, when executed by at least oneprocessor, cause the at least one processor to perform operations foranalyzing software delta changes based on functional line-of-codebehavior and relation models. The operations may comprise identifying aprompt to change a first version of code on a controller to a secondversion of code; constructing, based on the identified prompt, aline-of-code behavior and relation model representing execution offunctions of the controller based on the second version of code;performing a signature operation on the generated line-of-code behaviorand relation model to produce a signature value; and sending thesignature value to the controller; and the controller is configured tocompare the signature value to a computed signature value that thecontroller is configured to compute based on the second version of codeand determine, based on the comparison, whether to validate the secondversion of code.

In accordance with further embodiments, the prompt comprises a deltafile.

In accordance with further embodiments, the controller is furtherconfigured to, based on the validation, execute the second version ofcode on the controller.

In accordance with further embodiments, the controller is furtherconfigured to, based on the validation, prevent execution of the secondversion of code on the controller.

In accordance with further embodiments, the controller is furtherconfigured to, based on the validation, notify a remote sourceassociated with the second version of code.

In accordance with further embodiments, the second version of code isdeployed subsequent to the first version of code.

In accordance with further embodiments, the line-of-code behavior andrelation model is a first line-of-code behavior and relation model; andthe computing of the computed signature value comprises constructing,based on the identified prompt, a second line-of-code behavior andrelation model representing execution of functions of the controllerbased on the second version of code.

In accordance with further embodiments, the computed signature value iscomputed by using the signature operation.

In accordance with further embodiments, at least one of the first orsecond line-of-code behavior and relation models was generateddynamically based on data associated with real-time operations of thecontroller.

In accordance with further embodiments, the first and secondline-of-code behavior and relation models were generated dynamicallybased on data associated with real-time operations of the controller,the data being limited based on a group of parameters set remotely fromthe controller.

In accordance with further embodiments, the signature operation is basedon an identifier of the controller.

In accordance with further embodiments, the signature operation is basedon a type, function, version of software, sensitivity value, age, orprocessing capacity of the controller.

Further disclosed embodiments include a method for analyzing softwaredelta changes based on functional line-of-code behavior and relationmodels. The method may comprise identifying a prompt to change a firstversion of code on a controller to a second version of code;constructing, based on the identified prompt, a line-of-code behaviorand relation model representing execution of functions of the controllerbased on the second version of code; performing a signature operation onthe generated line-of-code behavior and relation model to produce asignature value; and sending the signature value to the controller; andthe controller is configured to compare the signature value to acomputed signature value that the controller is configured to computebased on the second version of code and determine based on thecomparison, whether to validate the second version of code.

In accordance with further embodiments, the prompt comprises delta file.

In accordance with further embodiments, the controller is furtherconfigured to, based on the validation, execute the second version ofcode on the controller.

In accordance with further embodiments, the line-of-code behavior andrelation model is a first line-of-code behavior and relation model; andthe computing of the computed signature value comprises constructing,based on the identified prompt, a second line-of-code behavior andrelation model representing execution of functions of the controllerbased on the second version of code.

In accordance with further embodiments, the computed signature value iscomputed by using the signature operation.

In accordance with further embodiments, at least one of the first orsecond line-of-code behavior and relation models was generateddynamically based on data associated with real-time operations of thecontroller.

In accordance with further embodiments, the first and secondline-of-code behavior and relation models were generated dynamicallybased on data associated with real-time operations of the controller,the data being limited based on a group of parameters set remotely fromthe controller.

In accordance with further embodiments, the signature operation is basedon a type, function, version of software, sensitivity value, age, orprocessing capacity of the controller.

In another exemplary embodiment, a non-transitory computer readablemedium may include instructions that, when executed by at least oneprocessor, cause the at least one processor to perform operations foranalyzing control-flow integrity based on functional line-of-codebehavior and relation models. The operations may comprise receiving databased on runtime operations of a controller; constructing a line-of-codebehavior and relation model representing execution of functions on thecontroller based on the received data; constructing, based on theline-of-code behavioral and relation model, dynamic control flowintegrity model configured for the controller to enforce in real-time;and deploying the dynamic control flow integrity model to thecontroller.

In accordance with further embodiments, the controller is configured todetect a request to execute code on the controller, and compare therequested execution to the dynamic control flow integrity model.

In accordance with further embodiments, the controller is configured todeny execution of the code on the controller if the requested executionviolates the dynamic control flow integrity model.

In accordance with further embodiments, the controller is configured togenerate an alert if the requested execution violates the dynamiccontrol flow integrity model.

In accordance with further embodiments, the operations further compriseidentifying a software change to the controller, wherein theline-of-code behavior and relation model is constructed based on theidentified software change.

In accordance with further embodiments, the controller is a firstcontroller; and the data is further based on runtime operations of asecond controller.

In accordance with further embodiments, the operations are performedperiodically according to a period based on a sensitivity valueassociated with the controller.

In accordance with further embodiments, the received data comprisesmultiple datasets associated with different runtime operations, and theoperations further comprise applying a machine learning process to themultiple datasets to produce analytical data, wherein the constructionof the line-of-code behavior and relation model is based on theanalytical data.

In accordance with further embodiments, the operations further comprise:performing a signature operation on the constructed line-of-codebehavior and relation model to produce a signature value; and deployingthe dynamic control flow integrity model to the controller with thesignature value.

In accordance with further embodiments, the controller is configured tocompare the signature value to a computed signature value that thecontroller is configured to compute based on the received data anddetermine, based on the comparison, whether to validate the dynamiccontrol flow integrity model.

Further disclosed embodiments include a method for analyzingcontrol-flow integrity based on functional line-of-code behavior andrelation models. The method may comprise receiving data based on runtimeoperations of a controller; constructing a line-of-code behavior andrelation model representing execution of functions on the controllerbased on the received data; constructing, based on the line-of-codebehavioral and relation model, a dynamic control flow integrity modelconfigured for the controller to enforce in real-time; and deploying thedynamic control flow integrity model to the controller.

In accordance with further embodiments, the controller is configured todetect a request to execute code on the controller and compare therequested execution to the dynamic control flow integrity model.

In accordance with further embodiments, the controller is configured todeny execution of the code on the controller if the requested executionviolates the dynamic control flow-integrity model.

In accordance with further embodiments, the controller is configured togenerate an alert if the requested execution violates the dynamiccontrol flow integrity model.

In accordance with further embodiments, the operations further compriseidentifying a software change to the controller, wherein theline-of-code behavior and relation model is constructed based on theidentified software change.

In accordance with further embodiments, the controller is a firstcontroller, and the data is further based on runtime operations of asecond controller.

In accordance with further embodiments, the operations are performedperiodically according to a period based n a sensitivity valueassociated with the controller.

In accordance with further embodiments, the received data comprisesmultiple datasets associated with different runtime operations, theoperations further comprise applying a machine learning process to themultiple datasets to produce analytical data, wherein the constructionof the line-of-code behavior and relation model is based on theanalytical data.

In accordance with further embodiments, the operations further comprise:performing a signature operation on the constructed line-of-codebehavior and relation model to produce a signature value; and deployingthe dynamic control flow integrity model to the controller with thesignature value.

In accordance with further embodiments, the controller is configured tocompare the signature value to a computed signature value that thecontroller is configured to compute based on the received data anddetermine, based on the comparison, whether to validate the dynamiccontrol flow integrity model.

In another exemplary embodiment, a non-transitory computer readablemedium may include instructions that, when executed by at least oneprocessor, cause the at least one processor to perform operations forvisualizing and configuring controller function sequences. Theoperations may comprise identifying at least one executable code segmentassociated with a controller; analyzing the at least one executable codesegment to determine at least one function and at least one functionalrelationship associated with the at least one code segment;constructing, a software functionality line-of-code behavior andrelation model visually depicting the determined at least one functionand at least one functional relationship; displaying the softwarefunctionality line-of-code behavior and relation model at a userinterface; receiving a first input at the user interface; in response tothe received first input, animating the line-of-code behavior andrelation model to visually depict execution of the at least oneexecutable code segment on the controller; receiving a second input atthe user interface; and in response to the received second input,animating an update to the line-of-code behavior and relation model.

In accordance with further embodiments, the operations further comprise:determining expected functional behavior of the controller and actualfunctional behavior of the controller based on the analysis: anddisplaying, at the user interface, a visual indicator of functionalbehavior corresponding to the execution of the at least one executablecode segment relative to expected functional behavior.

In accordance with further embodiments, the operations further comprise:determining a degree of deviation between the expected and actualfunctional behaviors; estimating a probability of downtime for thecontroller based on the degree of deviation; and displaying anindication of the probability of downtime at the user interface.

In accordance with further embodiments, the operations further compriseaccessing executable code configured to execute a software change on thecontroller.

In accordance with further embodiments, the operations further comprisesending an alert to a remote device.

In accordance with further embodiments, animating the line-of-codebehavior and relation model to visually depict execution of the at leastone executable code segment comprises emphasizing a visual element ofthe at least one function associated with the at least one code segment.

In accordance with further embodiments, the second input is associatedwith a code change on the controller.

In accordance with further embodiments, the controller is an electroniccontrol unit (ECU) of a vehicle.

In accordance with further embodiments, the controller is a virtualcontroller.

In accordance with further embodiments, the code change is representedby a delta file configured to change code on the controller.

In accordance with further embodiments, the delta file is configured tochange code on the controller from a first version of code to a secondversion of code.

Further disclosed embodiments include a method for visualizing andconfiguring controller function sequences. The method may compriseidentifying at least one executable code segment associated with acontroller; analyzing the at least one executable code segment todetermine at least one function and at feast one functional relationshipassociated with the at least one code segment; constructing, a softwarefunctionality line-of-code behavior and relation model visuallydepicting the determined at least one function and at least onefunctional relationship; displaying the software functionalityline-of-code behavior and relation model at a user interface; receivinga first input at the user interface; in response to the received firstinput, animating the line-of-code behavior and relation model tovisually depict execution of the at least one executable code segment onthe controller, receiving a second input at the user interface; and inresponse to the received second input, animating an update to theline-of-code behavior and relation model.

In accordance with further embodiments, the operations further comprise:determining expected functional behavior of the controller and actualfunctional behavior of the controller based on the analysis; anddisplaying at the user interface, a visual indicator of functionalbehavior corresponding to the execution of the at least one executablecode segment relative to expected functional behavior.

In accordance with further embodiments, the operations further comprise:determining a degree of deviation between the expected and actualfunctional behaviors, estimating a probability of downtime for thecontroller based on the degree of deviation; and displaying anindication of the probability of downtime at the user interface.

In accordance with further embodiments, the operations further compriseaccessing executable code configured to execute a software change on thecontroller.

In accordance with further embodiments, the operations further comprisesending an alert to a remote device.

In accordance with further embodiments, animating the line-of-codebehavior and relation model to visually depict execution of the at leastone executable code segment comprises emphasizing a visual element ofthe at least one function associated with the at least one code segment.

In accordance with further embodiments, the second input is associatedwith a code change on the controller.

In accordance with further embodiments, the code change is representedby a delta file configured to change code on the controller.

In accordance with further embodiments the delta file is configured tochange code on the controller from a first version of code to a secondversion of code.

Aspects of the disclosed embodiments may include tangiblecomputer-readable media that store software instructions that, whenexecuted, by one or more processors, are configured for and capable ofperforming and executing one or more of the methods, operations, and thelike consistent with the disclosed embodiments. Also, aspects of thedisclosed embodiments may be performed by one or more processors thatare configured as special-purpose processor(s) based on softwareinstructions that are programmed with logic and instructions thatperform, when executed, one or more operations consistent with thedisclosed embodiments.

It is to be understood that both the foregoing general description andthe following detailed description are exemplary and explanatory only,and are not restrictive of the disclosed embodiments, as claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute partof this specification, illustrate several embodiments and, together withthe description, serve to explain the disclosed principles. In thedrawings:

FIG. 1A illustrates an exemplary pictographic representation of acontroller network for providing analysis and security to controllers,consistent with embodiments of the present disclosure.

FIG. 1B illustrates an exemplary pictographic representation of acontroller, consistent with embodiments of the present disclosure.

FIG. 1C illustrates an exemplary pictographic representation of asecurity provider system, consistent with embodiments of the presentdisclosure.

FIG. 2 illustrates an exemplary pictographic representation of a set ofmodels with corresponding information tables, consistent withembodiments of the present disclosure.

FIG. 3 illustrates an exemplary pictographic representation of aline-of-code behavior and relation model, consistent with embodiments ofthe present disclosure.

FIG. 4 illustrates an exemplary pictographic representation of aninterface for analyzing code behavior, consistent with embodiments ofthe present disclosure.

FIG. 5 illustrates an exemplary pictographic representation of deltafile software changes on a controller, consistent with embodiments ofthe present disclosure.

FIG. 6 depicts a flowchart of an exemplary process for generating andsigning line-of-code behavior and relation models, consistent withembodiments of the present disclosure.

FIG. 7 depicts a flowchart of an exemplary process for using aline-of-code behavior and relation model to determine softwarefunctionality changes, consistent with embodiments of the presentdisclosure.

FIG. 8 depicts a flowchart of are exemplary process for identifyingsoftware interdependencies based on functional line-of-code behavior andrelation models, consistent with embodiments of the present disclosure.

FIG. 9 depicts a flowchart of an exemplary process for identifyingsources of software-based malfunctions or errors, consistent withembodiments of the present disclosure.

FIG. 10 depicts a flowchart of an exemplary process for analyzinghardware change impacts based on a functional line-of-code behavior andrelation model, consistent with embodiments of the present disclosure.

FIG. 11 depicts a flowchart of an exemplary process for identifyingsoftware dependencies based on functional line-of-code behavior andrelation models, consistent with embodiments of the present disclosure.

FIG. 12A depicts a flowchart of an exemplary process for managingsoftware delta changes using functional line-of-code behavior andrelation models, consistent with embodiments of the present disclosure.

FIG. 12B depicts a flowchart of an exemplary process for analyzingsoftware delta changes based on functional line-of-code behavior andrelation models, consistent with embodiments of the present disclosure.

FIG. 13 depicts a flowchart of an exemplary process for analyzingcontrol-flow integrity based on functional line-of-code behavior andrelation models, consistent with embodiments of the present disclosure.

FIG. 14 depicts a flowchart of an exemplary process for visualizing andconfiguring controller function sequences consistent with embodiments ofthe present disclosure.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

Reference will now be made, in detail to exemplary embodiments, examplesof which are illustrated in the accompanying drawings and disclosedherein. Wherever convenient, the same reference numbers will be usedthroughout the drawings to refer to the same or like parts. Thedisclosed embodiments are described in sufficient detail to enable thoseskilled in the art to practice the disclosed embodiments. It is to beunderstood that other embodiments may be utilized and that changes maybe made without departing from the scope of the disclosed embodiments.Thus, the materials, methods, and examples are illustrative only and arenot intended to be necessarily limiting.

FIG. 1A illustrates an exemplary pictographic representation of system10, which may include a system 100. System 100 may be maintained by asecurity provider, software developer, an entity associated withdeveloping or improving computer software, dr any combination of theseentities. System 100 may include a security provider 102, which may be asingle device or combination of devices, and is described in furtherdetail with respect to FIG. 1C. Security provider 102 may be incommunication with any number of network resources, such as networkresources 104 a, 104 b, and/or 104 c. A network resource may be adatabase, supercomputer, general purpose computer, special purposecomputer, virtual computing resource, or any other data storage orprocessing resource.

System 10 may also include any number of controller systems, such ascontroller systems 108 a, 108 b, and 108 c, A controller system may be,for example, a home security system, a parking, garage sensor system, avehicle, an inventory monitoring system, a connected appliance,telephony equipment, a network routing device, a smart power grid systema drone or other unmanned vehicle, a hospital monitoring system, or anyother Internet of Things (IoT) system. A controller system may includecontrollers arranged in a local area network (LAN), a wide area network(WAN), or any other communications network arrangement. Further, eachcontroller system may include any number of controllers. For example,exemplary controller system 108 a includes controllers 110 a, 112 a, and114 a, which may have the same or different functionalities or purposes.These controllers are discussed further through the description ofexemplary controller 114 a discussed with respect to FIG. 1B. Controllersystems 108 a, 108 b, and 108 c may connect to system 100 throughconnections 106 a, 106 b, and 106 c, respectively. System 100 may alsoconnect through connection 106 d to a remote system 103, which mayinclude any number of computing devices (e.g., including a personaldesktop computer). Remote system 103 may be associated with a creator ofcode, a manufacturer of a physical component and/or device (e.g.,controller), a system (e.g., vehicle) manufacturer or another entityassociated with developing and/or deploying software. A connection 106may be a communication channel, which may include a bus, a cable, awireless (e.g., over-the-air) communication channel, a radio-basedcommunication channel, a local area network (LAN), the Internet, awireless local area network (WLAN), a wide area network (WAN), acellular communication network, or any Internet Protocol (IP) basedcommunication network and the like. Connections 106 a, 106 b, 106 c, and106 d may be of the same type or of different types.

Any combination of components of system 10 may perform any number ofsteps of the exemplary processes discussed herein, consistent with thedisclosed exemplary embodiments.

FIG. 1B illustrates an exemplary pictographic representation ofcontroller 114 a, which may be automotive controller, such as anelectronic control unit (ECU) (e.g., manufactured by companies such asBosch™, Delphi Electronics™, Continental™, Denso™, etc.), or may be anon-automotive controller, such as an IoT controller manufactured bySkyworks™, Qorvo™, Qualcomm™, NXP Semiconductors™, etc. Controller 114 amay be configured (e.g., through programs 126) to perform a singlefunction (e.g., a braking function in a vehicle), or multiple functions.Controller 114 a may perform any number of steps of the exemplaryprocesses discussed herein, consistent with the disclosed exemplaryembodiments.

Controller 114 a may include a memory space 116 and a processor 118.Memory space 116 may a single memory component, or multiple memorycomponents. Such memory components may include an electronic storagedevice, a magneto storage device, an optical storage device, anelectromagnetic storage device, a semiconductor storage device, or anysuitable combination of the foregoing. For example, memory space 116 mayinclude any number of hard disks, random access memories (RAMs),read-only memories (ROMs), erasable programmable read-only memories(EPROMs or Flash memories), and the like. Memory space 116 may includeone or more storage devices configured to store instructions usable byprocess 118 to perform functions related to the disclosed embodiments.For example, memory space 116 may be configured with one or moresoftware instructions, such as software program(s) 126 or code segmentsthat perform one or more operations when executed by processor 118(e.g., the operations discussed in connection with figures below). Thedisclosed embodiments are not limited to separate programs or computersconfigured to perform dedicated tasks. For example, memory space 116 mayinclude a single program or multiple programs that perform the functionsof system 10. Memory space 116 may also store data that is used by oneor more software programs (e.g., data relating to ECU functions, dataobtained during operation of the vehicle, or other data).

In certain embodiments, memory space 116 may store software executableby processor 118 to perform one or more methods, such as the methodsdiscussed below. The software may be implemented via a variety ofprogramming techniques and languages, such as C or MISRA-C, ASCET,Simulink, Stateflow, and various others. Further, it should beemphasized that techniques disclosed herein are not limited toautomotive embodiments. Various other IoT environments may use thedisclosed techniques, such as smart home appliances, network security orsurveillance equipment, smart utility meters, connected sensor devices,parking garage sensors, and many more. In such embodiments, memory space116 may store software based on a variety of programming techniques andlanguages such as C, C++, PHP, Java, JavaScript, Python, and variousothers.

Processor 118 may include one or more dedicated processing units,application-specific integrated circuits (ASICs), field-programmablegate arrays (FPGAs), graphical, processing units, Of various other typesof processors or processing units coupled with memory space 116.

Controller 114 a may also include a communication interface 120, whichmay allow for remote devices to interact with controller 114 a.Communication interface 120 may include an antenna or wired connectionto allow for communication to or from controller 114 a. For example, anexternal device (such as controller 114 b, controller 116 a, securityprovider 102, or any other device capable of communicating withcontroller 114 a) may send code to controller 114 a instructingcontroller 114 a to perform certain operations, such as changingsoftware stored in memory space 116.

Controller 114 a may also include power supply 122, which may be anAC/DC converter, DC/DC converter, regulator, or battery internal to aphysical housing of controller 114 a, and which may provide electricalpower to controller 114 a to allow its components to function. In someembodiments a power supply 122 may exist external to a physical housingof a controller (i.e., may not be included as part of controller 114 aitself), and may supply electrical power to multiple controllers (e.g.,all controllers within controller system 108 a).

Controller 114 a may also include input/output device (I/O) 124, whichmay be configured to allow for a user or device to interact withcontroller 114 a. For example, I/O 124 may include at least one of wiredand/or wireless network cards/chip sets (e.g., WiFi-based cellularbased, etc.), an antenna, a display (e.g., graphical display, textualdisplay, etc.), an LED, a router, a touchscreen, a keyboard, amicrophone, a speaker, a haptic device, a camera, a button, a dial, aswitch, a knob, a transceiver, an input device, an output device, oranother I/O device configured to perform, or to allow a user to perform,any number of steps of the methods of the disclosed embodiments, asdiscussed further below.

FIG. 1C illustrates an exemplary pictographic representation of securityprovider 102, which may be a single device or multiple devices. In theembodiment shown, security provider 102 includes a user device 128,which may be a computer, server, mobile device, special purposecomputer, or any other computing device that may allow a user to performany number of steps of the methods of the disclosed embodiments, asdiscussed further below. For example, user device 128 may include aprocessor 136, which may be configured to execute instructions stored atmemory 138.

User device 128 may also connect to database 130, which may be aninstance of a network resource, such as network resource 104 a. Database130 may store data to be used in methods of the disclosed embodiments,as discussed further below. For example, database 130 may maintain anynumber of models, consistent with the disclosed embodiments. Database130 may include any number of disk drives, servers, server arrays,server blades, memories, or any other medium capable of storing data.Database 130 may be configured in a number of fashions, including as atextual database, a centralized database a distributed database, ahierarchical database, a relational database (e.g., SQL), anobject-oriented database or in any other configuration suitable forstoring data. While database 130 is shown within security provider 102,it may also exist externally to it, such as at a remote cloud computingplatform.

In some embodiments, user device 128 may connect to a communicationinterface 132, which may be similar to communication interface 120and/or I/O 124. For example, communication interface 132 may include atleast one of wired and/or wireless network cards/chip sets (e.g.WiFi-based, cellular based, etc.), an antenna, a display (e.g.,graphical display, textual display, etc.), an LED, a router, atouchscreen, a keyboard, a mouse a microphone, a speaker, a hapticdevice, a camera, a button, a dial, a switch, a knob, a transceiver, aninput device, an output device, or another device configured to perform,or to allow a user to perform any number of steps of the methods of thedisclosed embodiments, as discussed further below. Communicationinterface 132 may also allow user device 128 to connect to other devicessuch as other devices within security provider 102, other devices withina system 100, and/or devices external to system 100, such as acontroller 114 a. In some embodiments, communication interface 132(e.g., an antenna) may connect with database 130, which may allow for adevice other than user device 128 (e.g., a controller external to system100) to communicate with database 130.

Security provider 102 may also include a display 134, which may beconnected to user device 128. Display 184 may include a liquid crystaldisplay (LCD), in-plane switching liquid crystal display (IPS-LCD),light-emitting diode (LED) display, organic light-emitting diode (OLED)display, active-matrix organic light-emitting diode (AMOLED) display,cathode ray tube (CRT) display, plasma display panel (PDP), digitallight processing (DLP) display, or any other display capable ofconnecting to a user device and depicting information to a user. Display134 may display graphical interfaces, interactable graphical elements,animations, dynamic graphical elements, and any other visual as thosediscussed with respect to FIG. 14 , among others.

FIG. 2 illustrates an exemplary pictographic representation of a set ofmodels with corresponding information tables and code portions. Any ofthese exemplary models may include a line-of-code behavior and relationmodel, such as is discussed with respect to FIG. 3 (e.g., a line-of-codebehavior and relation model 30), among others. The exemplary embodimentin FIG. 2 depicts a model 202, which includes model 208 and model 214,which are parts of it. Models 202, 208, and 214 may model code portions(e.g., code for execution on a controller) 204, 210 and 216,respectively. By way of example, model 202 may model computer code(e.g., code portion 204) configured to coordinate operations of an ECUassociated with turning a vehicle's rack and pinion, and model 208and/or model 214 may model computer code (e.g., code portion 210 and/or216) configured to add or remove functions or relationships, orotherwise change the capabilities of initial computer code modeled bymodel 202 (e.g., adding a feature of communication with a blind spotmonitor, to prevent the rack and pinion from turning when the blind spotmonitor detects an object in the vehicle's path). Any of these exemplarymodels may be generated as discussed with respect to FIG. 6 , amongothers.

FIG. 2 also illustrates code portion information table 200, 206, and212, which are associated with models 202, 208, and 214 respectively. Acode portion information table may contain information of eachrespective model and/or code portion, and may be labeled with adifferent block number and/or date associated with the model and/or codeportion e.g., a date when the associated model or code portion wascreated, modified deployed, etc.). In some embodiments, a code portioninformation table may hold a nonce, or any other number generated suchthat it can only be used once within a given system. A nonce may begenerated using information associated with a model and/or code portion,such as sequence of code, combination of functions, combination offunctional relationships type of device to which a model or code portionrelates, a time when the code portion was analyzed, or any otherinformation that may be unique to a model and/or code portion.

In some embodiments, a code portion information table may hold a hashvalue and/or a predecessor hash value. Any of these hash values may havebeen generated according to a hash function, described in further detailregarding FIG. 6 . The hash value may uniquely identify the model and/orits underlying code portion. The predecessor hash value may identify amodel and/or code portion that was previously associated with (e.g., wasa previous version of) the model and/or code portion with which theinformation table is associated. In this way, an identification linkagemay be created between subsequent changes to software, such that changesmay be tracked from a code perspective and functional perspective, andallowing for deeper analysis and rollback of software deployment. Whilethe term “hash” is used to describe this information in a code portioninformation table, it should be noted that any unique value may be usedas a hash value and/or predecessor hash value, which may or may not begenerated by a hash function.

FIG. 3 illustrates an exemplary pictographic representation ofline-of-code behavior and relation model 30, which may be generated by aprocessor (e.g., a processor at user device 128) according to a process(e.g., process 600). A line-of-code behavior and relation model 30 maybe expressed in data and stored on a storage medium, such as database130 or memory space 116). A line-of-code behavior and relation model mayrelate to any quantity of code (e.g., one line of code, multiple linesof code, a program, etc.). In some embodiments, a line-of-code behaviorand relation model may be created or modified through analysis of codeconfigured for execution on a controller (e.g., offline analysis at asecurity provider 102, such as through simulating behavior of a device,which may be based on real-time “online” behavior) A line-of-codebehavior and relation model may be used “online” by applying real-time(or in some embodiments, simulated) controller operations to the model,to demonstrate functioning of code on the controller. The term“line-of-code” is not necessarily limited to literal lines of code, butmay also include, instead of or in addition to lines of code, symbols(discussed below), symbol relationships (also discussed below), compiledcode, uncompiled code, a software package (e.g., for a software update),instruction sets, and/or any software whose functionality or behaviormay be analyzed.

A line-of-code behavior and relation model 30 may describe any number ofsymbols, such as symbol 300, symbol 302 c, symbol 306 b, etc. A symbolmay represent and/or store a number of pieces of information, includinga variable, buffer, function, call, object, segment of code, acontroller to which the symbol relates, a system to which the symbolrelates, or any other information related to the functional impact ofcode related to the symbol In some embodiments, a symbol may include afunctional block, which may describe a functional profile of a segmentof code. A functional profile may be developed through manual userinputs and/or machine-observed (e.g., through simulation) behavior. Insome embodiments, a line-of-code behavior and relation model 30 may bestochastic, deterministic, steady-state, dynamic, continuous, discrete,local, etc. In some embodiments, a line-of-code behavior and relationmodel 30 may include a functional call graph for code (e.g., based ongprof, OpenPAT, pprof, etc.).

As indicated in FIG. 3 by the arrows between symbols, symbols mayinfluence each other (i.e., they have a symbol relationship). By way ofexample, symbol 302 d may represent a buffer that is called by afunction represented by symbol 304 b in a process to update variablerepresented by symbol 306 a. While the arrows in this exemplary figureare shown moving from left to right, any combination of symbolrelationships (e.g., dependencies, interdependencies, etc.) betweensymbols is possible. Symbol relationships may be one-directional orbi-directional between symbols. Symbol relationships may also representan iterative or recursive relationship between symbols. In someembodiments, a symbol relationship may influence another symbolrelationship in addition to, or in place of, influencing another symbol.

FIG. 4 illustrates an exemplary pictographic representation of aninterface 40 for analyzing code behavior, which may be displayed at, forexample, display 134. Interface 40 may be displayed according to aprogram on a device, such as a program on user device 128 or one ofprograms 126. The visual depictions displayed by interface 40 may bebased on a process, such as those discussed with respect to FIGS. 6-14 .In some embodiments, a visual depiction displayed on interface 40 mayrelate to a particular controller, type of controller, system, type ofsystem, code portion, and/or line-of-code behavior and relation model.Interface 40 may display information statically (e.g., using a fixedinput, such as data from a controller) or dynamically using an inputchanging in real-time, such as real-time data from a controller). Insome embodiments, a user may be able to change statically displayedinformation by selecting a different fixed input. For example, interface40 may display a slider bar, along which a user may move a slider toselect a point in time that corresponds to a particular input, such asdata related to the behavior of a controller at a particular point intime. In some embodiments, an input may cause interface 40 to an mate asequence of frames showing a change in controller operation over time. Ause example a user of user device 128, may interact with interface 40using communication interface 132.

Interface 40 may include a symbol, relationship interface 400, which mayvisually depict symbol relationships, which may be represented by aline-of-code behavior and relation model 30, as discussed above. In someembodiments, symbol relationship interface 400 may display graphicaluser interface (GUI) elements 410. GUI elements 410 may representsymbols, such as those discussed with respect to FIG. 3 , among others.In some embodiments, symbol relationship interface 400 may displaysymbol relationships between GUI elements 410, as indicated by theexemplary black lines connecting these elements in the figure in someembodiments, a GUI element 410 and/or symbol relationships may have acombination of any of: a color, text, animation, shading, shape,position, size, a pictorial element (e.g., a red X mark), or any othervisual aspect capable of conveying information to a user viewinginterface 40. For example, as shown in FIG. 4 , GUI elements 410 havevarying types of shading, which may indicate that a symbol associatedwith a particular GUI element 410 is active, active, or malfunctioning.In some embodiments, symbol relationship interface 400 may displayinformation related to code underlying the symbols and/or symbolrelationships, such as a percent of code used. The information in symbolrelationship interface 400 may be displayed statically or dynamically,as discussed above.

Interface 40 may include other interfaces, such as resource interface402, functional behavior interface 404, and software state interface406. Resource interface 402 may depict current, past or future resourceusage associated with a device and/or system. For example, resourceinterface 402 may depict a current usage of CPU, memory, and/or networkbandwidth. In some embodiments, resource interface 402 may depictstatistical information related to resource usage, such an average levelof CPU usage or a historical variance network bandwidth usage. In soreembodiments, resource interface 402 may depict data derived fromresource usage and/or other information, which may be predictive. Forexample, resource interface 402 may depict a probability of downtime ofa device, system, etc. (e.g., as shown in FIG. 4 ). The information inresource interface 402 may be displayed statically or dynamically, asdiscussed above.

Interface 40 may include a functional behavior interface 404, which maydepict functional behavior associated with symbols and/or symbolrelationships depicted in symbol relationship interface 400. In someembodiments, functional behavior interface 404 may depict a change infunctional behavior over time, which may be shown in a variety of ways,including by a line graph (e.g., as shown in FIG. 4 with lines formingan operational envelope as “forecast”), a bar graph, a dynamicallycolored element (e.g., with a strength of a chromatic trait indicatingfurther deviation of behavior from an expected envelope), anycombination of these, and/or any visual indicator that can change overtime. The information in functional behavior interface 404 may bedisplayed statically or dynamically, as discussed above.

Interface 40 may also include a software state interface 406, which mayinclude GUI elements 408. In some embodiments, software state interface406 may depict a current state of software, which may be represented insymbol relationship interface 400 and/or associated with code on adevice (e.g. controller). For example, software state interface 406 maydepict original software installed on a controller and any number ofsubsequent changes to that software Such changes may be part of aconfiguration management process and may include, but are not limitedto, updates, rollbacks, deletions, additions, recalibration, parameteralterations, and/or any other change to software for a device. GUIelements 408, which may be included in software state interface 406,may, upon receiving an input, cause a change visual depictions ininterface 40, to code, and/or to a line-of-code behavior and relationmodel. For example, a GUI element 408, upon receiving an input, maychange code and/or a corresponding line-of-code behavior and relationmodel to an updated version. User interactions with visual depictions,which may be displayed on interface 40 are discussed further withrespect to FIG. 14 , among others. The information in software stateinterface 406 may be displayed statically or dynamically, as discussedabove.

FIG. 5 illustrates an exemplary pictographic representation of deltafile software changes on controller 114 a. Software on a controller(e.g., original software 502) may change over time, which may beaccomplished through storing a delta file (e.g., delta file 504) inmemory space 116. At different times, different delta files may bestored or removed from memory space 116, and/or different delta filesmay be currently implemented by software on controller 114 a. Forexample, at a time T1, delta file 504 may be stored in memory space 116,and may be currently implemented by original software 502 (as shown byan arrow in FIG. 5 ). At another point in time, T3, delta file 508(e.g., a software update, which may be part of a configurationmanagement process) may be stored in memory space 116, and may becurrently implemented by original software 502 (as shown by an arrow inFIG. 5 ). At yet another point in time, T4, software on controller 114 amay change from implementing delta file 508 to implementing a previousdelta file 506 (e.g., a rollback).

A combination of software (e.g., original software 502) and any numberof delta files (including zero delta files) may be modeled by aline-of-code behavior and relation model. In some embodiments, memoryspace 116 may also store a line-of-code behavior and relation modeland/or unique identifier, either or both of which may be associated withoriginal software 502 and/or a delta file (e.g., delta file 504). Inthese embodiments, a line-of-code behavior and relation model and/orunique identifier may be part of a delta file itself.

FIG. 6 shows an exemplary process 600 for generating and signingline-of-code behavior and relation models. In accordance with aboveembodiments, process 600 may be implemented in system 10 depicted inFIG. 1 , or any type of IoT network environment. For example, process600 may be performed by a sir (e.g., processor 136) and/or othercomponents of security provider 102 (e.g., database 130), or by anycomputing device or IoT system.

At step 602, process 600 may identify code, which may be executablecode, which may be configured for execution on a physical controller(e.g., an ECU of a vehicle an IoT controller, etc.). In someembodiments, process 600 may identify code configured for execution orother implementation on a virtual controller, execution on a personalcomputing device, and/or code that is not configured to execute. In someembodiments, the executable code may include, as an example, a softwarechange (e.g., update, patch, rollback, deletion, alteration,recalibration, parameter alteration, etc.) delta file. In someembodiments, the code may be identified when it is received at a device(e.g., user device 128), for example when the code is entered at userdevice 128 by a user, or when it is received having been sent fromanother device (e.g., controller 114 a).

At step 604, process 600 may perform a functional analysis of code, suchas the code received at step 602, which may determine a number offunctions associated with the code and/or a number of relationshipsbetween the number of functions. In some embodiments, performing afunctional analysis may involve parsing the received code for knownsegments (e.g., functions, variables etc. with determined functionaleffects) and/or unknown segments. In some embodiments, unknown segmentsmay have functional effects classified by a user (e.g., through an inputat security provider 102, which may update information in database 130).In some embodiments the functional analysis may involve simulating thecode in a physical or virtual computing environment to determinefunctional effects). In some embodiments, the code may be splitaccording to the functional effects of segments and/or functionalrelation ships between segments.

At step 606, process 600 may generate a line-of-code behavior andrelation model, which may be an instance of a line-of-code behavior andrelation model 30, discussed above. In some embodiments, theline-of-code behavior and relation model may be generated based on anynumber of the functions and relationships determined by the functionalanalysis at step 604. In some embodiments, the line-of-code behavior andrelation model may be generated through a machine learning process,which may include a statistical classification process, a dynamicanalysis process, determining a sequence of functions associated with asegment or segments of code, and/or determining a relationship betweenat least two of the functions of the sequence.

At step 608, process 600 may perform a signature operation on generatedline-of-code behavior and relation model. A signature operation mainclude a hash operation, cryptographic function, and/or any signingalgorithm. For example, the signature may be generated according toalgorithms such as SHA-256, MD6, Fast-Hash, universal one-way hashfunction, or others. The signature operation may produce a uniquesignature value associated with the line-of-code behavior and relationmodel, symbol, controller, and/or system. In some embodiments, theunique signature value may include hash value and/or a cryptographicnonce number. In some embodiments, the signature operation may be basedon a number of the symbols associated with a segment or segments ofcode, a type of at least one of the symbols, a number of therelationships in a line-of-code behavior and relation model, aconfiguration of the relationships in a line-of-code behavior andrelation model, a number of symbols associated with at least onerelationship, and/or any other characteristic of a line-of-code behaviorand relation model.

At step 610, process 600 may link a unique signature value (e.g., thevalue generated at step, 608) to a line-of-code behavior and relationmodel (the line-of-code behavior and relation model generated at step606 or a pre-existing line-of-code behavior and relation model, etc.).Linking the unique signature value may include generating a file havingboth the unique signature value and line-of-code behavior and relationmodel, writing the unique signature value to the field of theline-of-code behavior and relation model, embedding the unique signaturevalue to the line-of-code behavior and relation model, and/or making anotation in data to indicate that the unique signature value isassociated with the line-of-code behavior and relation model. In someembodiments, process 600 may assign the unique signature value to asegment or segments of code (e.g., a delta file), which the line-of-codebehavior and relation model may be associated with (e.g. when theline-of-code behavior and relation model was generated based on thesegment or segments of code). In some embodiments, linking the uniquesignature value to the line-of-code behavior and relation model mayinclude compressing the line-of-code behavior and relation model, whichmay occur at any point in the linking process (e.g., at the end). Insome embodiments, process 600 may send the line-of-code behavior andrelation model with the assigned signature value to a remote device(e.g., a controller 114 a), which may occur before or after step 610.

FIG. 7 depicts an exemplary process 700 for generating and signingline-of-code behavior and relation models. In accordance with aboveembodiments, process 700 may be implemented in system 10 depicted inFIG. 1 , or any type of IoT network environment. For example, process700 may be performed by a processor (e.g. processor 136) and/or othercomponents of security provider 102 (e.g., database 130), or by acomputing device or IoT system.

At step 702, process 700 may identify a first portion of code and asecond portion of code. Either or both the first and second portions ofcode may be executable code, which may be for implementation orexecution on a physical controller (e.g., an ECU which may be of avehicle) a virtual controller, a personal computing device, and/or maybe code that is not configured to execute. For example, at least one oft e execution of functions of the first portion of code or the executionof functions of the second portion of code may be an execution on aphysical or virtualized controller. In some embodiments, the firstportion of code may correspond to software that may be currentlydeployed and/or running on a device or of an earlier version than thesecond portion of code. Further, the second portion of code maycorrespond to a software change (e.g., a recalibration), which may beintended for a device currently having the first portion of code.Identifying the first and/or second portions of code may includegenerating the first and/or second portions of code, receiving the firstand/or second portions of code, and/or retrieving the first and/orsecond portions of code from a storage medium (e.g., memory space 116, astorage medium of remote system 103, memory 138 database 130, etc.).

At step 704 process 700 may access a first line-of-code behavior andrelation model, which may represent execution of functions of the firstportion of code. This model may be stored on a storage device (e.g.,database 130) accessible to a device performing process 700 (e.g., userdevice 128). In some embodiments, the first line-of-code behavior andrelation model may be an instance of a line-of-code behavior andrelation model 30, discussed above. For example, the first line-of-codebehavior and relation model may be a line-of-code behavior and relationmodel 30 that models symbols and symbol relationships associated withthe first portion of code. In some embodiments, the accessedline-of-code behavior and relation model may have been generatedaccording to a machine learning process, consistent with other disclosedembodiments.

At step 706 process 700 may construct, based on the second portion ofexecutable code, a second line-of-code behavior and relation model,which may represent execution of functions of the second portion ofcode. In some embodiments, the first line-of-code behavior and relationmodel may be a line-of-code behavior and relation model 30, which maymodel symbols and symbol relationships associated with the secondportion of code In some embodiments process 700 may link at least onefunction of the second portion of code to at least one segment of thesecond portion code.

In some embodiments, at least one of the first or second line-of-codebehavior and relation models may have been generated dynamically (e.g.generated using real-time data received from a device operating usingthe first or second portions of code). For example, a security provider102 may receive real-time operation information from a controller and/orcontroller system. Such dynamic generation may be performed using stepsdiscussed with respect to FIG. 13 , among others. In other embodiments,the first or second line-of-code behavior and relation model may havebeen generated statically (e.g., using pre-existing code not based onreal-time operations).

At step 708, process 700 may perform a functional differentialcomparison of the first line-of-code behavior and relation model to thesecond line-of-code behavior and relation model. In some embodiments,performing the functional differential comparison may involve comparingall of or portions of line-of-code behavior and relation models, whichmay be associated with the first and second line-of-code behavior andrelation models In addition to or instead of comparing line-of-codebehavior and relation models 30, process 700 may compare uniqueidentifiers or ether identifying information associated with the firstline-of-code behavior and relation model and the second line-of-codebehavior and relation model, respectively. In some embodiments, thefunctional differential comparison may include determining whetherfunctionality of the first portion of executable code falls within anoperational envelope related to at least one of: a CPU cycle, a memoryrequirement, speed of execution, or a functionality relationship. Insome embodiments, the functional differential comparison may be based onat least one of a difference of (e.g., between the first and secondline-of-code behavior and relation models): response time, sequence offunction execution, or memory leakage. Response time may be determinedbased on, for example, a measured time for a processor to respond to amessage (e.g., request for response, ping, or real-time message). Asequence of function execution may be represented by a stored sequence,average of prior function sequences, or machine learning process thatdetermines an expected function sequence. Memory leakage may beindicated, for example, as memory contents that should not be deletedfrom memory but are deleted, or memory contents that should be deletedbut are not deleted.

In some embodiments, process 700 may determine that a third portion ofcode is dormant (e.g., performing minimal actions, not used at all,obsolete, redundant, inefficient, part of a previous software change,etc.). This determination may be triggered based on the functionaldifferential comparison of step 708.

At step 710, process 700 may determine a status of functionalequivalence, which may include a status of functional equivalencebetween the first and second line-of-code behavior and relation models.In some embodiments, a status of functional equivalence may include astatus of equivalent or not equivalent a degree of equivalence, whichmay be used at step 716. A status of functional equivalence may be basedon a comparison performed at step 708. For example, a comparison at step708 may yield a degree of functional equivalence between the first andsecond line-of-code behavior and relation models, which may be expressedin a variety of ways. As a further example, such a degree of functionalequivalence may include a percentage of equivalence (e.g., 75%equivalent), determinations of equivalence of particular portions of thefirst and second line-of-code behavior and relation models (e.g., 99% ofsymbols between the models are equivalent, symbol “X-1” in the firstmodel is only 80% equivalent to a modified symbol “X-1” in the secondmodel, etc.) In some scenarios, process 700 may proceed to step 712directly from step 710, for example if a status of equivalent isdetermined at step 710. Process 700 may, in some cases, proceed to step716 and/or step 718 after performing step 710.

At step 712, process 700 may generate a report of a status of functionalequivalence, which may include a status determined at step 710, a degreeof functional equivalence, or any other information related tofunctional similarity or difference between the first and secondline-of-code behavior and relation models.

At step 714 process 700 may send a report of a status of functionalequivalence, which may include a report generated at step 712. In someembodiments, the report may identify at least one instance offunctionality drift, which may have been determined at, for example,step 708 or 710. In some embodiments, this report may be sent from adevice performing process 700 (e.g., user device 128) to a separatedevice (e.g., network resource 104 a, remote system 103, etc.). In someembodiments, the separate device may be a device associated with thefirst and/or second line-of-code behavior and relation models (e.g., adevice that provided code underlying the first and/or second models, adevice of a provider of code underlying the first and/or second models,a device of manufacturer of a component, device, or system for which thefirst and/or second portions of code are intended).

At step 716, process 700 may determine whether a degree of functionalequivalence (e.g., a degree of functional equivalence determined at step710) meets a threshold. The nature of the threshold may take on avariety of forms, including a percentage equivalence between the firstand second line-of-code behavior and relation models, a percentageequivalence between certain portions of the first and secondline-of-code behavior and relation models (e.g., between criticalportions of code within the first and second portions), or any otherquantification of equivalence between the first and second portions ofcode or between the first and second line-of-code behavior and relationmodels. In some embodiments, for example when a result of the functionaldifferential comparison exceeds a threshold, process 700 may determine,based on a determined difference, an estimated probability of downtime(e.g., of a device for which the second portion of code is intended),which may be expressed as a probability of downtime in a defined timeperiod.

In one embodiments, the threshold may have beer set at system 100 orremote system 103. For example, in some implementations a set ofregulations or specifications may determine the threshold for alloweddifferences in code functionality. One example may be the Type Approvalrules issued by the United Nations Economic Commission for Europe. Theserules may, for example, specify thresholds for software functionalitydeviations that are permitted for over-the-air hangs (updates,rollbacks, alterations, etc.). In some situations, the threshold may be0% (i.e., no deviation in functionality is permitted for an over-the-airchange), while in other situations the threshold may be higher. Similarregulations and rules may determine when IoT controllers (e.g.,electronics controllers, industrial controllers, mechanical devicecontrollers, appliance controllers, etc.) are permitted to receiveover-the-air software changes. In this manner, the disclosed techniquesare able to comply with government or industry regulations in anefficient and secure manner, allowing for permitted over-the-air changesand not impermissible changes that entail significant functionaldifferences. The determined degree of functional equivalence may dictatefurther steps taken by process 700. For example if the determined degreeof function equivalence meets the threshold, process 700 may proceed tostep 712; if the determined degree of functional equivalence does notmeet the threshold, process 700 may proceed to step 718.

At step 718, process 700 may generate a prompt, which may be based on adetermination made at step 710 and/or step 716. In some embodiments, theprompt may include a warning, a degree of functional equivalence, or anyother information determined as part of process 700. In someembodiments, a prompt may tag the second portion of code, the secondline-of-code behavior and relation model, and/or unique identifier.Tagging may include labeling code, a model, and/or an identifier asunusable, malicious, bugged, or otherwise inappropriate for use on adevice. In some embodiments, tagging may involve disabling code and/orsending a notification to a device to not permit execution of the code.

FIG. 8 depicts an exemplary process 800 for identifying softwareinterdependencies based on functional line-of-code behavior and relationmodels. In accordance with above embodiments, process 800 may beimplemented in system 10 depicted in FIG. 1 , or any type of IoT networkenvironment. For example, process 800 may be performed by a processor(e.g., processor 136) and/or other components of security provider 102(e.g., database 130), or by computing device or IoT system.

At step 802, process 800 may identify a first portion of code, which maybe associated with a controller. For example, the first portion of codemay be configured to implement or execute on a physical controller(e.g., ECU), a virtual controller, a personal computing device, and/ormay not be configured to execute. In some embodiments, the first portionof code may correspond to software that may be currently deployed and/orrunning on a device (e.g., controller), or may correspond to a softwarechange (e.g., an update, fix, patch, alteration deletion, recalibration,parameter alteration etc., any of which may be part of a configurationmanagement process). In some embodiments, the first portion of code maybe associated with a sensitivity valise, which may be a value describingthe criticality of the first portion of code to a device and/or systemto which it relates. As such, a sensitivity value may be based on thefrequency with which the first portion of code is used when softwareincluding the first portion of code is executed on a device, level ofimportance of a device with which the first portion is associated to asystem overall (e.g., an ECU controlling a braking function may have ahigher level of importance than an ECU controlling an air conditioningfan speed a number of dependencies or interdependencies that the firstportion of code has, or any other measure of a degree of involvement thefirst portion of code has with a device and/or system. While the firstportion of code is discussed here as being associated with a firstsensitivity value, other portions of code, symbols, and/or individualdevices (e.g., controllers) may also be associated with sensitivityvalues, as is discussed further with respect to other embodiments.Identifying the first portion of code may include generating the firstportion of code, receiving the first portion of code, and/or retrievingthe first portion of code from a storage medium (e.g., memory space 116,a storage medium of remote system 103, memory 138 database 130, etc.)

At step 804, process 800 may access a functional line-of-code behaviorand relation model, which may represent functionality of a portion ofcode (e.g., the portion of code identified at step 802). In someembodiments, the accessed functional line-of-code behavior and relationmodel may be a be a line-of-code behavior and relation model 30, and maymodel symbols and symbol relationships associated with the first portionof code. In some embodiments, accessing the functional line-of-codebehavior and relation model may include generating the functionalline-of-code behavior and relation model, receiving the functionalline-of-code behavior and relation model, and/or retrieving thefunctional line-of-code behavior and relation model from a storagemedium (e.g., memory space 116, a storage medium of remote system 103,memory 138, database 130, etc.).

At step 806, process 800 may determine a second portion of code, whichmay include a software change (e.g., update) for a controller. Forexample, as with the first portion of code, the second portion of codemay be configured to implement or execute on a physical controller(e.g., ECU), a virtual controller, a personal computing device, and/ormay not be configured to execute. In some embodiments, a sensitivityvalue is associated with the second portion of code (such as asensitivity value discussed at step 802). In some embodiments, thesecond portion of code may be associated with the same device (e.g.,controller) as the first portion of code. In some embodiments, the firstportion of code may be associated with a first controller and the secondportion of code may be associated with a second controller, and both thefirst and second controllers may be part of the same device or system(e.g., at least portion of a vehicle, building, network, etc.).Determining the second portion of code may include generating the secondportion of code, receiving the second portion of code (e.g., from aremote system 103), and/or retrieving the second portion of code from astorage medium (e.g., memory space 116, a storage medium of remotesystem 103, memory 138, database 130, etc.).

At step 808, process 800 may determine an interdependency. For example,process 800 may determine that the second portion of code isinterdependent with the first portion of code, in some embodiments, thefirst and second portions of code may be associated with the same device(e.g., controller), such that the interdependency is internal to thedevice. In some embodiments, this determination may be based on afunctional line-of-code behavior and relation model (e.g., the modelaccessed at step 804, a model associated with the first portion of code,a model associated with the second portion of code, etc.). Theinterdependency may be determined by comparing symbols or symbolrelationships of two different line-of-code behavior and relationmodels.

In some embodiment determining an interdependency may includedetermining a functional impact of the first portion of code on thesecond portion of code. For example, process 800 may determine a statusand/or change in functionality associated with interdependent portionsof code (e.g., according to process 700, or other processes discussedherein). By way of example, a change to one portion of code may resultin functional changes at other portions of code (e.g., related to thesame device), and process 800 may determine the nature (e.g., degree offunctional equivalency) of each functional change at the other portions,to the extent there are any. Process 800 may also determine a type ofinterdependency (e.g., a uni-directional interdependency, abi-directional interdependency, an interdependency impacting a criticalportion of code, an interdependency impacting a non-critical portion ofcode, etc.) and/or a strength of interdependency (e.g., a number ofsymbols affected, a frequency of impact to a symbol, a potential oractual amount of change to a symbol, etc.). In some embodiments, thefunctional impact may be based on a sensitivity value associated withthe first portion of code (i.e., a first sensitivity value) and asensitivity value associated with the second portion code (i.e., asecond sensitivity value). In some embodiments, process 800 maydetermine that the functional impact exceeds a threshold. As discussedabove, the threshold may be dynamically set (e.g., based on a machinelearning process), or statically set (e.g., manually set, or set basedon a government regulation defining a permitted degree of functionaldifference).

In some embodiments, process 800 may identify a first signature uniquelyidentifying the first portion of code and a second signature uniquelyidentifying the second portion of code. Process 800 may link thesignatures together (e.g., in a cross-reference or lookup table), whichmay describe interdependencies in a useful compact format.

At step 810, process 800 may generate a report, in some embodiments thereport may be based on the determined interdependency and/or mayidentify interdependent portions of code (e.g., the first and secondportions of code of steps 802 and 806). The report may identify a typeand/or strength of interdependency (e.g., as discussed with respect tostep 808). The report may include a functional impact, such as afunctional impact determined at step 808.

In some embodiments, process 800 may generate a visual depiction of thedetermined interdependency. For example, a visual depiction may show aninterdependency in a graphical representation of two line-of-codebehavior end relation models. In some embodiments the visual depictionmay be the same as or similar to that shown in symbol relationshipinterface 400. The visual depiction may include a visual element of thedetermined interdependency, a visual element of the first portion ofcode, a visual element of the second portion of code, and/or visualelements of other portions of code. In some embodiments, the visualdepiction may be based on the determination that the functional impactexceeds the threshold (e.g., the visual depiction may indicate thedegree to which the functional impact exceeds the threshold, the visualdepiction may only display if the function impact exceeds the threshold,etc.).

FIG. 9 depicts an exemplary process 900 for identifying sources ofsoftware-based malfunctions or errors. In accordance with aboveembodiments, process 900 may be implemented in system 10 depicted inFIG. 1 , or another type of IoT network environment. For example,process 900 may be performed by a processor (e.g., processor 136) and/orother components of security provider 102 (e.g., database 130), or by acomputing device or IoT system.

At step 902 process 900 may identify a potential or actual softwaremalfunction. In some embodiments, the identified potential or actualsoftware malfunction may be associated with (e.g., occurring in) asystem, which may have multiple rode sets associated with a plurality ofdifferent software sources (e.g., devices, software developers etc.).For example, the multiple code sets may have been developed by aplurality of different software developers, may be associated withdifferent devices that generated the code sets, may be associated withdifferent geographies, etc. In some embodiments, multiple code sets maybe associated with at least one controller (e.g., ECU) of a system(e.g., vehicle). In some embodiments where the multiple code sets areassociated with different software developers, each of the plurality ofdifferent software developers may have a unique source identifier, andeach code set may be associated with one of the unique sourceidentifiers. As with all embodiments discussed herein, a system is notnecessarily limited to a physical system, but may instead include avirtual system.

Code sets may also be associated with different functions. For example,one code set may be associated with controlling one operation in asystem (e.g., steering in a vehicle), whereas another code set may beassociated with controlling a different operation in a system (e.g.,blind spot detection). In some embodiments, code sets may be dependenton each other (e.g., as discussed with respect to FIG. 11 ).

At step 904, process 900 may access a line-of-code behavior and relationmodel, which may represent execution of functions of the code sets. Insame embodiments, the accessed line-of-code behavior and relation modelmay only represent a single code set. In some embodiments, theline-of-code behavior and relation model may represent execution offunctions of the code set identified at step 906. In some embodiments,the accessed line-of-code behavior and relation model may have beengenerated dynamically based on data associated with real-time operationsof at least one device (e.g., controller). After performing step 904,process 900 may proceed with step 906 and/or step 914.

At step 906, process 900 may identity a code set. The code set may beidentified based on the line-of-code behavior and relation model, andthe code set may be determined to have the potential to cause, or havecaused, a least in part, a software malfunction. For example, process900 may analyze the line-of-code behavior and relation model (e.g.,through simulation of operations, using real-time operational data,etc.) to determine a code set or a part of a code set associated withthe potential or actual software malfunction.

In some embodiments, multiple code sets may be associated with thepotential or actual software malfunction. In these scenarios, themultiple code sets may be interdependent with each other (i.e., ifwithin the same device).

At step 908, process 900 may determine a code set identifier, which maybe a source identifier of the identified code set (e.g., an identifierindicating a device or software developer that generated the identifiedcode set, an identifier indicating a device with which the code set isassociated, etc.).

At step 910, process 900 may generate a report of the potential oractual software malfunction. A report of the potential or actualsoftware malfunction may include an estimated time of downtime,identifiers of devices and/or systems potentially or actually impactedby the potential or actual software malfunction, a number of devicesand/or systems potentially or actually impacted by the potential oractual software malfunction, an indication of the criticality of themalfunction (e.g., based on the types of devices and/or systemsaffected, the level of impact of the potential or actual softwaremalfunction, etc.).

At step 912, process 900 may send a report of the potential or actualsoftware malfunction to a remote source (e.g., remote system 103) whichmay be associated with the identified source identifier.

At step 914, process 914 may identify a delta file. This step may beimportant in some embodiments, such as where the identification of thepotential software malfunction (e.g., in a system) may be based on arecent software change to a component (e.g., controller). For example,the identification of the potential software malfunction may result froma software change implemented, or planned to be implemented, on acomponent using a delta file. In some embodiments, such as those where adelta file is associated with the identified malfunction, a delta filemay be associated with a unique identifier, and the unique identifiermay be included in the report, which may allow for improved responsiveaction, such as at step 916.

At step 916, process 900 may implement a responsive action. Such aresponsive action may be taken in response to the identifiedmalfunction. For example, process 900 may revert software on a component(e.g., a controller) associated with the identified malfunction bydelinking a delta file from current software on the component. Delinkinga delta file may involve any number of different actions, includingchanging a pointer in memory (e.g., memory space 116, such as shown inFIG. 5 ), deleting a delta file, changing a unique identifier associatedwith a delta file, sending a software change to a controller, and/orexecuting an action at a controller such that it implements a version ofsoftware without implementing the delinked delta file. A variety ofother responsive actions may be taken, such as sending a notification toa remote device (e.g., an infotainment screen in a vehicle of acontroller associated with the delta file, generating and/or sending areport as discussed with respect to steps 910 and 912, etc.), halting anoperation on a component, reverting software on components dependent onthe component with which the identified malfunction is associated,halting an operation on a dependent controller, etc.

FIG. 10 depicts an exemplary process 1000 for analyzing hardware changeimpacts based on a functional line of code behavior and relation model.In accordance with above embodiments, process 1000 may be implemented insystem 10 depicted in FIG. 1 or any type of IoT network environment. Forexample, process 1000 may be performed by a processor (e.g., processor136) and/or other components of security provider 102 (e.g., database130), or by any computing device or IoT system. In some embodiments,process 1000 may be initiated when a system determines that a newhardware component is operating or attempting to operate in the system.

At step 1002, process 1000 may identify a new hardware component, whichmay be associated with (e.g., be a part of) a system. In someembodiments, the new hardware component may be a controller, and in evenmore specific embodiments, the new hardware component may be an ECU in avehicle (i.e., a system). In some embodiments, the new hardwarecomponent may be configured, selected, prepared, etc. to glace aprevious hardware component.

At step 1004, process 1000 may access a first line-of-code behavior andrelation model, which may represent execution of functions in a systemusing the new hardware component. The first line-of-code behavior andrelation model may have been generated based on data associated withsimulated operations of the new hardware component. In some embodiments,process 1000 may also access a second line-of code behavior and relationmodel, which may represent execution of functions on a previous hardwarecomponent of the system. The second line-of-code behavior and relationmodel may have been generated dynamically based on data associated withreal-time operations of the previous hardware component.

In some embodiments, accessing the functional line-of-cod behavior andrelation model may include generating the functional line-of-codebehavior and relation model, receiving the functional line-of-codebehavior and relation model, and/or retrieving the functionalline-of-code behavior and relation model from a storage medium (e.g.,memory space 116, a storage medium of remote system 103, gory 138,database 130, etc.).

At step 1006, process 1000 may perform a functional differentialcomparison, which may include a comparison of the first line-of-codebehavior and relation model the second line-of-code behavior andrelation model.

At step 1008, process 1000 may determine a status of functionalequivalence, which may be based on the functional differentialcomparison performed at step 1006. In some embodiments a status offunctional equivalence may include a status of functional equivalencebetween the new hardware component and the previous hardware component.In some embodiments, step 1008 may be similar to step 710 in process700, with either or both of the new and previous hardware componentshaving an associated portion of code and/or line-of-code behavior andrelation model. In some embodiments, process 1000 may determine thatthere is or is not a functional difference between a new hardwarecomponent and a previous hardware component (and/or correspondingportion of code and/or line-of-code behavior and relation model).

At step 1010, process 1000 may generate a report of a status offunctional equivalence, which may be a report identifying the status offunctional equivalence determined at step 1008. In some embodiments, thereport may be based on a determined difference between a new hardwarecomponent and a previous hardware component (and/or correspondingportion of code and for line-of-code behavior and relation model), whichmay have been determined at step 1008.

At step 1012, process 1000 may send a report of a status of functionalequivalence, which may include a report generated at step 1012. In someembodiments, the report may identify at least one instance offunctionality drift, which may have been determined at, for example,step 1008 or 1010. In some embodiments, this report may be sent from adevice performing process 1000 (e.g. user device 128) to a separatedevice (e.g., network resource 104 a, remote system 103, etc.). In someembodiments, the separate device may be associated with the new and/orprevious hardware component (and/or corresponding portion of code and/orline-of-code behavior and relation model). For example the separatedevice may be associated with a manufacturer of code-writer for the newand/or previous hardware component.

At step 1014, process 1000 may determine whether a degree functionalequivalence (e.g., a degree of functional equivalence determined at step1008) meets a threshold. The nature of the threshold may take on avariety of forms, including a percentage equivalence between the new andprevious hardware components, a percentage equivalence between certainportions of the first and secant line-of-code behavior and relationmodels (e.g. between critical portions of code within the first andsecond portions) associated with the new and previous hardwarecomponents, or any other quantification of equivalence between the newand previous hardware components. As discussed above, the threshold maybe static or dynamic in nature.

Process 1000 may also make other determinations, which may be based onthe new hardware component. For example, in some embodiments, forexample when a result of the functional differential comp on exceeds athreshold; process 1000 may determine, based on a determined difference,an estimated probability of downtime (e.g., of the new hardwarecomponent, of a component dependent with the new hardware component,etc.), which may be expressed as a probability of downtime in a definedtime period. In some embodiments, such as those where the new hardwarecomponent is a controller process 1000 may also determine that at leastone hardware component, which may be another controller, is dependentwith the new hardware component. In yet other embodiments, process 1000may determine that at east one hardware component (e.g., a componentwithin a controller) is interdependent with the new hardware component(e.g., another component of the same controller).

Process 1000 may also take a s when a component is determined bedependent with the previous hardware component. For example, process1000 may access a line-of-code behavior and relation model, which mayrepresent execution of functions on at least one dependent hardwarecomponent and the previous hardware component. Further, process 1000 maygenerate a line-of-code behavior and relation model that representsexecution of functions on the at least one dependent hardware componentand the new hardware component. Whether these two line-of-code behaviorand relation models were generated as part of process 1000, process 1000may perform a functional differential comparison of these two models.And, process 1000 may determine a change in functional equivalencewithin the system (e.g., a functional difference identified with respectto the dependent component), which may be based on the functionaldifferential comparison. In some embodiments, process 1000 may generatea report identifying such a change, which may be based on the determineddifference.

In some embodiments, such as those where a functional difference isdetermined, process 1000 may determine that the new hardware componentis unauthorized, which may be based on the determined difference (e.g.,if the degree of functional equivalence does not meet a threshold).

In some embodiments, the threshold may been set at system 100 or remotesystem 103. The determined degree of functional equivalence may dictatefurther steps taken by process 1000. For example, of the determineddegree of functional equivalence meets the threshold process 1000 mayproceed to step 1010; if the determined degree of functional equivalencedoes not meet the threshold, process 1000 may proceed to step 1016. Asdiscussed above, in some embodiments the threshold is static (e.g.,defined by a government industry regulation or rule), while in otherembodiments it is dynamic (e.g., based on a machine learning process).

At step 1016, process 1000 may generate a prompt, which may be based ona determination made at step 1008 and/or step 1014. In some embodimentthe prompt may include a warning, a degree of functional equivalence, orany other information determined as part of process 1000. Process 1000may block operation of the new hardware component, which may be based ona determination that the new hardware component is unauthorized. Forexample, a prompt may tag the new hardware component, a portion of codeassociated with the new hardware component, a second line-of-codebehavior and relation model associated with the new hardware component,and/or unique identifier. Tagging may include labeling (e.g., insoftware) code, a model, the component and/or an identifier as unusable,malicious bugged, or otherwise inappropriate for use in a system. Insome embodiments, tagging may involve disabling code and/or sending anotification to a system to not permit installation of the newcomponent. Other tagging actions may include those discussed withrespect to FIG. 7 .

FIG. 11 depicts an exemplary process 1100 for identifying softwaredependencies based on functional line-of-code behavior and relationmodels. In accordance with above embodiments, process 1100 may beimplemented in system 10 depicted in FIG. 1 , or any type of IoT networkenvironment. For example, process 1100 may be performed by a processor(e.g., processor 136) and/or other components of security provider 102(e.g., database 130), or by any computing device or IoT system. In someembodiments, process 1100 may be initiated when a system determines thatnew hardware component is operating or attempting to operate in thesystem.

At step 1102 process 1100 accesses a first line-of-code behavior andrelation model, which may represent execution of functions of a firstportion of code (e.g., executable code, which may be configured toexecute on a controller). In some embodiments, the first portion of codemay be associated with a first symbol, which may be at least one of avariable, buffer, function, call, object, and/or segment of code, andmay have any other characteristic of a symbol as discussed in otherembodiments. The first portion of code may also be associated with asensitivity value (such as a sensitivity value discussed with respect toFIG. 8 , among others).

At step 1104, process 1100 may detect a change to the first portion ofcode. A change to a portion of code may include code change implementedat a physical controller, a virtual controller, a simulated change madeby a user, and/or a code change at any other device.

At step 1106, process 1100 may construct, a second line-of-code behaviorand relation model, which may represent execution of functions of thechanged first portion of executable code. In some embodiments, theconstruction of the second line-of-code behavior and relation model maybe based on the changed first portion of executable code.

At step 1108, process 1100 may determine a dependency. In someembodiments, this may include a dependency between either the changedfirst portion of executable code or the first symbol and a secondsymbol. The second symbol may be at least one of a variable, buffer,function, call, object, and/or segment of code, and may have any othercharacteristic of a symbol as discussed in other embodiments. The secondsymbol may also be associated with a sensitivity value (such as asensitivity value discussed with respect to FIG. 8 , among others). Insome embodiments, the dependency may be based on the constructed secondmodel. The dependency may also be determined remotely by operating thesecond line-of-code behavior and relation model remotely from a firstand second controller (e.g., controllers associated with the firstportion of code and second symbol, respectively). In embodiments whereprocess 1100 concerns at least one controller, such a controller may bepart of a group of electronic control units (ECUs) in a vehicle.

Process 1100 may also determine information related to the dependency.For example, process 1100 may determine an impact to the second symbolcaused by the changed first portion of code, which may be based on thesensitivity values (e.g., sensitivity values associated with the changedfirst portion of code and the second symbol). In some embodiments, thedependency may include a strength of association between the firstsymbol and the second symbol, which may be based on a frequency withwhich the first symbol interacts with the second symbol, the firstportion of executable code being configured to call or modify the secondsymbol, a number of symbols affected, a frequency of impact to a symbol,a potential or actual amount of change to a symbol, etc. In someembodiments, the second symbol may be associated with a controller(e.g., possibly a second controller, with the first portion of codepossibly being associated with a first controller). In some embodiments,process 1100 may determine a status and/or change its functionalityassociated with interdependent portions of code (e.g., according toprocess 700, or other processes discussed herein). For example, a changeto one portion of code may result in functional changes at otherportions of code (e.g., code on other devices), and process 1100 maydetermine the nature (e.g., degree of functional equivalency) of eachfunctional change at the other portions, to the extent there are any. Asan illustrative example, changing the first portion of code fora cameraon a vehicle may affect the functioning of a self-parking feature, whichmay involve other ECUs, such as those controlling steering. In otherwords, in some embodiments, such as those where a system includesmultiple devices, a controller (or other device) whose code did notchange may change may still experience a change in functionality changeat other device.

At step 1110, process 1100 may generate a report. In some embodiments,the report may be based on the determined difference and/or may identifythe dependency. The report may also identify multiple dependencies, forexample if steps of process 1100 are performed multiple times. In someembodiments, the report may contain additional information associatedwith the dependency. For example, in embodiments where process 1100identifies an impact to the second symbol caused by the changed firstportion of code, this impact may be included in the report. Process 1100may also take other actions related to the determined dependency. Forexample process 1100 may generate a visual depiction of the determineddependency, consistent with other embodiments disclosed herein.

FIG. 12A depicts an exemplary process 1200A for managing software deltachanges using functional line-of-code behavior and relation models. Inaccordance with above embodiments, process 1200A may be implemented insystem 10 depicted in FIG. 1 , or any type of IoT network environment.For example, process 1100 may be performed by a processor (e.g.,processor 136) and/or other components of security provider 102 (e.g.,database 130), or by a computing device or IoT system.

At step 1202, process 1200A may identify a prompt to change software,which may include software change code, such as code to change a firstversion of code on a device (e.g., controller) to a second version ofcode. In some embodiments, the second version of code may be deployedsubsequent to the first version of code (e.g., as an update). In someembodiments, the prompt may include a delta file (e.g., a delta fileconfigured to change software on a controller). In some embodiments,software change code may be configured for execution or otherimplementation on a virtual controller, execution on a personalcomputing device, and/or may be code that is not configured to execute.In some embodiments, the prompt may be identified when it is received ata device (e.g., user device 128), for example when the code is enteredat user device 128 by a user, or when it is received having been sentfrom another device (e.g., remote system 103).

At step 1204, process 1200A may construct a line-of-code behavior andrelation model, which may be based on the prompt identified at step1202, and may represent execution of functions of a controller based ona second version of code.

At step 1206, process 1200A may perform a signature operation, which maybe performed on the generated line-of-code behavior and relation model,and which may produce a signature value. The signature operation may besimilar to those described with respect to FIG. 6 (e.g., the signatureoperation may include a hash operation cryptographic function, and/orany signing algorithm), among others. In some embodiments, the signatureoperation may be based on an identifier of a controller (e.g., acontroller associated with the prompt to change software, constructedline-of-code behavior and relation model, etc.). The signature operationmay also be based on a type, function, version of software, sensitivityvalue, age, or processing capacity of the controller.

At step 1208, process 1200A may send the signature value and/or softwarechange code (e.g., from step 1202. In some embodiments, the signaturevalue and/or software change code may be sent to a controller, which mayperform process 1200B upon receiving the signature value and/or softwarechange code.

FIG. 12B depicts an exemplary process 1200B for analyzing software deltachanges based on functional line-of-code behavior and relation models.In accordance with above embodiments, process 1200A may be implementedin system 10 depicted in FIG. 1 , or any type of IoT networkenvironment. For example, process 1100 may be performed by a processor(e.g., processor 118) and/or other components of a controller system(e.g., controller system 108 a), or by any computing device or IoTsystem.

At step 1210, process 1200B may receive a signature value and/orsoftware change code (e.g., sent at step 1208, such as from a securityprovider 102). For example, the may signature value and/or softwarechange code may be received by a controller (e.g., controller 114 a),which may be configured to (i) compare the received signature value to acomputed signature value that the controller is configured to computebased on the second version of code and determine, e.g., based on thecomparison, whether to validate the second version of code, as isdiscussed further with respect to process 1200B.

At step 1212, process 1200B may compute a signature value. As discussedabove, the signature may be generated in accordance with a variety ofdifferent algorithms. Process 1200B may begin computing a signaturevalue by constructing a line-of-code behavior and relation model, whichmay be based on the identified prompt and may represent execution offunctions of the controller based on a second version of code. Process12008 may perform a signature operation on the constructed line-of-codebehavior and relation model, which may produce a computed signaturevalue. The signature operation may be similar to or the same as thosedescribed at step 1206.

At step 1214, process 1200B may compare a received signature value and acomputed signature value.

At step 1216, process 1200B may determine whether a received signaturevalue and a computed signature value match, which may be based on acomparison performed at step 1214. This determination may validate thereceived signature value and/or software change file associated with thereceived signature value, and may direct process 1200B to step 1218and/or step 1220.

At step 1218, process 1200B may process software change code, such assoftware change code received at step 1210. In some embodiments, process1200B may execute a second version of code on the controller based onthe validation performed at step 1216. For example, if process 1200Bdetermined that a received and computed signature value for a secondversion of code match, it may proceed to execute code to implement thesecond version of code on a controller.

At step 1220, process 1200B may implement a corrective action, which maybe based on a validation performed at step 1216. In some embodiments, acorrective action may be implemented when process 1200B has determinedthat a received and a computed signature value do not match. Acorrective action may include preventing execution of a second versionof code (e.g., associated with the received signature value) on acontroller, notifying a remote source associated with a second versionof code (e.g., remote system 103).

In some embodiments, line-of-code behavior and relation models involvedin process 1200A and/or process 1200B may be the same as or similar toline-of-code behavior and relation models from other embodiments. Forexample, at least one of a line-of-code behavior and relation modelconstructed at step 1204 or step 1212 may have been generateddynamically based on data associated with real-time operations of acontroller. In some embodiments, this data may be limited (e.g., to datafrom a particular time frame, from a particular set of devices, from aparticular set of systems, sampled at a particular rate, etc.) based ona group of parameters they may be set remotely from a device (e.g.remotely from a controller for which a software change file isintended).

FIG. 13 depicts an exemplary process 1300 for analyzing control-flowintegrity based on functional line-of-code behavior and relation models.In accordance with above embodiments, process 1300 may be implemented insystem 10 depicted in FIG. 1 , or any type of IoT network environment.For example, process 1300 may be performed by a processor (e.g.,processor 136) and/or other components of security provider 102 (e.g.,database 130), or by any computing device or IoT system. In someembodiments, any number of steps of process 1300 may be performedperiodically, such as according to a period based on a sensitivity valueassociated with a controller.

At step 1302, process 1300 may receive data, which may be based onruntime operations of any number of controllers (e.g., the received datamay be based on runtime operations of a first controller and a secondcontroller). In some embodiments, such a controller (or controllers) maybe associated with a software change. In some embodiments, the data mayinclude multiple datasets associated with different runtime operations.Process 1300 may also apply, as part of step 1302 or another step in theprocess, a machine learning process to such multiple datasets, which mayproduce analytical data.

At step 1304, process 1300 may perform a functional analysis, which maybe performed on data received at step 1302.

At step 1306, process 1300 may construct a line-of-code behavior andrelation model, which may represent execution of functions on acontroller, and which may be based on the received data. In someembodiments constructing a line-of-code behavior and relation model maybe based on analytical data (e.g., produced at step 1302). In someembodiments, process 1300 may identify a software change to thecontroller, and may construct the line-of-code behavior and relationmodel based on the identified software change. In some embodimentsprocess 1300 may perform a signature operation on a constructedline-of-code behavior and relation model, which may produce signaturevalue.

At step 1308, process 1300 may construct a dynamic control flowintegrity model, which may be based on the line-of-code behavioral andrelation model, and which may be configured for a controller to enforcein real-time.

At step 1310, process 1300 may deploy the dynamic control flow integritymodel to a controller (or controllers). Deployment may includecompressing the dynamic control flow integrity model, sending thedynamic control flow integrity model to a controller, sending thedynamic control flow integrity model to a system, etc. In someembodiments, a dynamic control flow integrity model may be deployed witha signature value (e.g., a signature value produced at step 1306 may besent with a dynamic control flow integrity model).

A controller to which the dynamic control flow integrity model isdeployed may be configured in various ways, which allow for effectiveimplementation of the dynamic control flow integrity model. For example,a controller may be configured to detect a request to execute code onthe controller, and to compare the requested execution to the dynamiccontrol flow integrity model. In addition, such a controller may beconfigured to take certain actions based on comparing requestedexecution to a dynamic control flow integrity model. For example, acontroller may be configured to deny execution of the code on thecontroller if the requested execution violates the dynamic control flowintegrity model. As another example, a controller may also be configuredto generate an alert if the requested execution violates the dynamiccontrol low integrity model.

In some embodiments, a controller or other device may take actions tovalidate a dynamic control flow integrity model. For example, acontroller may be configured to compare a received signature value(e.g., received as part of a deployment) to a computed signature value,which the controller may be configured to compute. Such computation maybe based on the received data of step 1302 and/or data of operationsassociated with a controller. In some embodiments, a controller may beconfigured to determine whether to validate the dynamic control flowintegrity model, which may be based on the comparison of a receivedsignature value to a computed signature value. For example if twosignature values match, a controller may determine that a receiveddynamic control flow integrity model is valid, and may operate accordingto the model. In some embodiments, signature values may be computed fora dynamic control flow integrity model, either instead of or in additionto computing a signature value for a line-of-code behavior and relationmodel. Signature values computed for a dynamic control flow integritymodel may be used in the same way as signature values for a line-of-codebehavior and relation model, as is discussed herein.

FIG. 14 depicts an exemplary process 1400 for visualizing andconfiguring controller function sequences. In accordance with aboveembodiments, process 1400 may be implemented in system 10 depicted inFIG. 1 , or any type of IoT network environment. For example, process1400 may be performed by a processor (e.g., processor 136) and/or othercomponents of security provider 102 (e g., database 130), or by anycomputing device or IoT system. Steps of process 1400 may involvegenerating information on a display, for example, display 134.

At step 1402, process 1400 may identify at least one code segment, whichmay be an executable code segment associated with a controller. Forexample, the at least one code segment may be for implementation orexecution on a physical controller (e.g., an ECU, which may be of avehicle), a virtual controller, a personal computing device, and/or maybe code that is not configured to execute. In some embodiments, the codesegment may include a code change, which may be represented by a deltafile configured to change code on a controller, consistent with otherembodiments discussed herein.

At step 1404, process 1400 may analyze at least one code segment (e.g.,a code segment identified at step 1402). In some embodiments, analyzingthe code segment may involve determining at least one function and/or atleast one functional relationship associated with the at least one codesegment. Analyzing the code segment may also involve receiving and/orgenerating a line-of-code behavior and relation model, signature value,dynamic code flow integrity model, or other similar information of theembodiments discussed herein. For example, the code segment may includea delta file configured to change code on a controller from a firstversion of code to a second version of code.

At step 1406, process 1400 may construct a software functionalityline-of-code behavior and relation model, which may visually depictinformation, such as a determined function and/or functionalrelationship (e.g., determined at step 1404). In some embodiments, thesoftware functionality line-of-code behavior and relation model may onlybe accessed by process 1400 (e.g., in embodiments where the model hasalready been constructed). In some embodiments a software functionalityline-of-code behavior and relation model may be similar to or the sameas another model discussed in the present disclosure (e.g., aline-of-code behavior and relation model 30).

At step 1408, process 1400 may display a line-of-code behavior andrelation model, which may depict software functionality. Theline-of-code behavior and relation model may be displayed at a userinterface (e.g., an interface 40, which may e displayed at, for example,display 134).

At step 1410, process 1400 may receive an input, which may be entered ata user interface. For example, an input may be received by a userthrough an action (e.g., mouse click, touch screen press, keyboardpress, etc.) at a user interface, which may be received at a user device128 or communication interface 132. Such action may be based on aninterface 40 displayed to a user. In some embodiments, process 1400 mayreceive multiple user inputs, either simultaneously or sequentially. Forexample, process 1400 may receive a second input (e.g., an inputassociated with a code change on a controller) at a user interface afterhaving received an input at step 1410.

At step 1412, process 1400 may perform a responsive display action,which may be performed in response to the input received at step 1410.In some embodiments, performing a responsive display action may includeanimating a displayed line-of-code behavior and relation model tovisually depict execution of a code segment on a controller, which mayinclude emphasizing a visual element of at least one function associatedwith at least one code segment. For example, process 1400 may animate adisplayed line-of-code behavior and relation model, for example, byanimating an update within the model, which may be based on the receivedsecond input. Such an animation may include changing a color, text,shading, shape, position, size, a pictorial element (e.g., a red Xmark), or any other visual aspect of a displayed visual element, whichmay correspond to a symbol or symbol relationship, as discussed withrespect to other embodiments herein. In some embodiments, a sound mayalso be played based on a user input (e.g., an alert sound may be playedwhen an update based on a user input is determined to cause an error).As even more specific examples, an animation may include snaking adisplayed visual element, enlarging some elements while shrinkingothers, emboldening the color of some elements while softening the colorof other elements, and/or taking any visual manipulation to conveyinformation to a user.

In some embodiments, process 1400 may perform a responsive displayaction based on information other than a user input. For example,process 1400 may receive data of real-time controller operations, dataof historical controller operation signature value, symbols, symbolrelationships, and/or any other informational sources related to aline-of-code behavior and relation model. In some embodiments, process1400 may determine expected functional behavior of a controller andactual functional behavior of a controller, which may be based onanalysis performed as part of process 1400 or another process discussedherein. A responsive display action may be taken based on such adetermination. For example, process 1400 may display (e.g., at a userinterface) a visual indicator of functional behavior corresponding toexecution of the at least one executable code segment relative toexpected functional behavior. As a further example, process 1400 mayoutline, embolden, animate, or otherwise emphasize displayed symbols ordisplayed symbol relationships whose actual symbols exhibit functionalbehavior differing from expected functional behavior. In someembodiments, process 1400 may determine a degree of deviation betweenexpected and actual behaviors. Process 1400 may also emphasize (e.g.,outline, embolden, animate, etc.) visual elements (e.g., of symbolsand/or symbol relationships) with a degree of intensity that correlateswith the degree to which the exhibited functional behavior differed fromthe expected behavior.

Process 1400 may also estimate a probability of downtime for acontroller based on the degree of deviation. In some embodiments,process 1400 may display an indication of a probability of downtime(e.g., at a user interface).

In some embodiments, process 1400 may access code, which may beexecutable code configured to execute a software change on a controller,from which a line-of-code behavior and relation model may be constructed(e.g., at step 1406). In some embodiments, process 1400 may also send analert to a remote device (e.g., an alert based on a received input basedon a deviation, etc.).

It is to be understood that the disclosed embodiments are notnecessarily limited in their application to the details of constructionand the arrangement of the components and/or methods set forth in thefollowing description and/or illustrated in the drawings and/or theexamples. The disclosed embodiments are capable of variations, or ofbeing practiced or carried out in various ways.

For example while some embodiments are discussed in a context involvingelectronic controller units (ECUs) and vehicles, these elements need notbe present in each embodiment. While vehicle communications systems arediscussed in some embodiments, other electronic systems (e.g., IoTsystems) having any kind of controllers may also operate within thedisclosed embodiments. Such variations are fully within the scope andspirit of the described embodiments.

The disclosed embodiments may be implemented in a system, a method,and/or a computer program product. The computer program product mayinclude a computer readable storage medium (or media) having computerreadable program instructions thereon for causing a processor to carryout aspects of the present disclosure.

The computer readable storage medium can be a tangible device that canretain and store instructions for use by an instruction executiondevice. The computer readable storage medium may be, for example, but isnot limited to, an electronic storage device, a magnetic storage device,an optical storage device, an electromagnetic storage device, asemiconductor storage device, or any suitable combination of theforegoing. A non-exhaustive list of more specific examples of thecomputer readable storage medium includes the following: a portablecomputer diskette, a hard disk, a random access memory (RAM), aread-only memory (ROM), an erasable programmable read-only memory (EPROMor Flash memory), a static random access memory (SRAM), a portablecompact disc read-only memory (CD-ROM), a digital versatile disk (DVD),a memory stick, a floppy disk, a mechanically encoded device such aspunch-cards or raised structures in a groove having instructionsrecorded thereon, and any suitable combination of the foregoing. Acomputer readable storage medium, as used herein is not to be construedas being transitory signals per se, such as radio waves or other freelypropagating electromagnetic waves, electromagnetic ayes propagatingthrough a waveguide or other transmission media (e.g., light pulsespassing through a fiber-optic cable), or electrical signals transmittedthrough a wire.

Computer readable program instructions described herein can bedownloaded to respective computing/processing devices from a computerreadable storage medium or to an external computer or external storagedevice via a network, for example, the Internet, a local area network, awide area network and/or a wireless network. The network may comprisecopper transmission cables, optical transmission fibers, wirelesstransmission, routers, firewalls, switched, gateway computers and/oredge servers. A network adapter card or network interface in eachcomputing/processing device receives computer readable programinstructions from the network and forwards the computer readable programinstructions for storage in a computer readable storage medium withinthe respective computing/processing device.

Computer readable program instructions for ca tying out operations ofthe present disclosure may be assembler instructions,instruction-set-architecture (ISA) instructions, machine instructions,machine dependent instructions, microcode, firmware instructions,state-setting data or either source code or object written in anycombination of one or more programming languages, including an objectoriented programming language such as Smalltalk, C++ or the like, andconventional procedural programming languages. The computer readableprogram instructions may execute entirely on the user's computer, partlyon the user's computer, as a stand-alone software package, partly on theuser's computer and partly on a remote computer or entirely on theremote computer or server. In the latter scenario, the remote computermay be connected to the user's computer through any type of network,including a local area network (LAN) or a wide area network (WAN), orthe connection may be made to an external computer (for example, throughthe Internet using an Internet Service Provider). In some embodiments,electronic circuitry, for example, programmable logic circuitry,field-programmable gate arrays (FPGA), or programmable logic arrays(PLA) may execute the computer readable program instructions byutilizing state information of the computer readable programinstructions to personalize the electronic circuitry, in order toperform aspects of the present disclosure.

Aspects of the present disclosure are described herein with reference toflowchart illustrations and/or block diagrams of methods, apparatus(systems), and computer program products according to embodiments of thedisclosure. It will be understood that each block of the flowchartillustrations block diagrams, and combinations of blocks in theflowchart illustrations and/or block diagrams, can be implemented bycomputer readable program instructions.

These computer readable program instructions may be provided to aprocessor of a general purpose computer, special purpose computer, orother programmable data processing apparatus to produce a machine, suchthat the instructions, which execute via the processor of the computeror other programmable data processing apparatus, create means forimplementing the functions/acts-specified in the flowchart and/or blockdiagram block or blocks. These computer readable program instructionsmay also be stored in a computer readable storage medium that can directa computer, a programmable data processing apparatus, and/or otherdevices to function in a particular manner, such that the computerreadable storage medium having instructions stored therein comprises anarticle of manufacture including instructions which implement aspects ofthe function/act specified in the flowchart and/or block diagram blockor blocks.

The computer readable program instructions may also be loaded onto acomputer, other programmable data processing apparatus, or other deviceto cause a series of operational steps to be performed on the computer,other programmable apparatus or other device to produce a computerimplemented process, such that the instructions which execute on thecomputer, other programmable apparatus, or other device implement thefunctions/acts specified in the flowchart and/or block diagram block orblocks.

The flowcharts and block diagrams in the Figures illustrate thearchitecture, functionality, and operation of possible implementationsof systems, methods and computer program products according to variousembodiments of the present disclosure. In this regard, each block in theflowcharts or block diagrams may represent a software program, segment,or portion of code, which comprises one or more executable instructionsfor implementing the specified logical function(s). It should also benoted that, in some alternative implementations, the functions noted inthe block may occur out of the order noted in the figures. For example,two blocks shown in succession may, in fact, be executed substantiallyconcurrently, or the blocks may sometimes be executed in the reverseorder, depending upon the functionality involved. Moreover, some blocksmay be executed iteratively, and some blocks may not be executed at all.It will also be noted that each block of the block diagrams and/orflowchart illustration, and combinations of blocks in the block diagramsand/or flowchart illustration, can be implemented by special purposehardware-based systems that perform the specified functions or acts, orcombinations of special purpose hardware and computer instructions.

The descriptions of the various embodiments of the present disclosurehave been presented for purposes of illustration; but are not intendedto be exhaustive or limited to the embodiments disclosed. Manymodifications and variations will be apparent to those of ordinary skillin the art without departing from the scope and spirit of the describedembodiments. The terminology used herein was chosen to best explain theprinciples of the embodiments, the practical application or technicalimprovement over technologies found in the marketplace, or to enableothers of ordinary skill in the art to understand the embodimentsdisclosed herein.

It is expected that during the life of a patent maturing from thisapplication many relevant virtualization platforms, virtualizationplatform environments, trusted cloud platform resources, cloud-basedassets, protocols, communication networks, security tokens andauthentication credentials will be developed and the scope of the theseterms is intended to include all such new technologies a priori.

It is appreciated that certain features of the disclosure, which are,for clarity, described in the context of separate embodiments, may alsobe provided in combination in a single embodiment. Conversely, variousfeatures of the disclosure, which are, for brevity, described in thecontext of a single embodiment, may also be provided separately or anysuitable subcombination or as suitable in any other described embodimentof the disclosure. Certain features described in the context of variousembodiments are not to be considered essential features of thoseembodiments, unless the embodiment is inoperative without thoseelements.

Although the disclosure has been described in conjunction with specificembodiments thereof, it is evident that many alternatives, modificationsand variations will be apparent to those skilled in the art.Accordingly, it is intended to embrace all such alternatives,modifications and variations that fall within the spirit and broad scopeof the appended claims.

What is claimed is:
 1. A non-transitory computer-readable mediumincluding instructions that, when executed by at least one processor,cause the at least one processor to perform processing operations foranalyzing control-flow integrity based on a line-of-code behavior andrelation model, comprising: receiving, at a controller, a dynamiccontrol flow integrity (CFI) model constructed based on a line-of-codebehavior and relation model; detecting a request for execution of codeon the controller; comparing the requested execution to the dynamic CFImodel; and determining, based on the comparison, if the requestedexecution violates the dynamic CFI model.
 2. The non-transitorycomputer-readable medium of claim 1, wherein the line-of-code behaviorand relation model represents execution of functions on the controller.3. The non-transitory computer-readable medium of claim 1, wherein theline-of-code behavior and relation model is constructed based onanalytical data produced based on data associated with different runtimeoperations of the controller.
 4. The non-transitory computer-readablemedium of claim 1, wherein the processing operations further comprisedenying the requested execution of the code on the controller if therequested execution violates the dynamic CFI model.
 5. Thenon-transitory computer-readable medium of claim 1, wherein theprocessing operations further comprise generating an alert if therequested execution violates the dynamic CFI model.
 6. Thenon-transitory computer-readable medium of claim 1, wherein theline-of-code behavior and relation model is constructed based on anidentified software change to the controller.
 7. The non-transitorycomputer-readable medium of claim 1, wherein the processing operationsfurther comprise validating, prior to comparing the requested executionto the dynamic CFI model, the dynamic CFI model.
 8. The non-transitorycomputer-readable medium of claim 1, wherein validating the dynamic CFImodel comprises: receiving a first signature associated with the dynamicCFI model; and comparing the first signature to a second signature todetermine if the first signature matches the second signature.
 9. Thenon-transitory computer-readable medium of claim 8, wherein validatingthe dynamic CFI model further comprises computing the second signature.10. The non-transitory computer-readable medium of claim 9, wherein thecomputation of the second signature is based on data associated with atleast one of: different runtime operations of the controller; or asoftware change for the controller.
 11. The non-transitorycomputer-readable medium of claim 8, wherein the first signature isproduced by performing a signature operation on the line-of-codebehavior and relation model.
 12. The non-transitory computer-readablemedium of claim 1, wherein the line-of-code behavior and relation modelis constructed based on analytical data produced based on dataassociated with different runtime operations of a plurality ofcontrollers, the plurality including the controller.
 13. Acomputer-implemented method for analyzing control-flow integrity basedon a line-of-code behavior and relation model, the method comprising:receiving, at a controller, a dynamic control flow integrity (CFI) modelconstructed based on a line-of-code behavior and relation model;detecting a request for execution of code on the controller; comparingthe requested execution to the dynamic CFI model; and determining, basedon the comparison, if the requested execution violates the dynamic CFImodel.
 14. The computer-implemented method of claim 13, furthercomprising denying the requested execution of the code on the controllerif the requested execution violates the dynamic CFI model.
 15. Thecomputer-implemented method of claim 13, further comprising generatingan alert if the requested execution violates the dynamic CFI model. 16.The computer-implemented method of claim 13, further comprisingvalidating, prior to comparing the requested execution to the dynamicCFI model, the dynamic CFI model.
 17. The computer-implemented method ofclaim 16, wherein validating the dynamic CFI model comprises: receivinga first signature associated with the dynamic CFI model; and comparingthe first signature to a second signature to determine if the firstsignature matches the second signature.
 18. The computer-implementedmethod of claim 17, wherein validating the dynamic CFI model furthercomprises computing the second signature.
 19. The computer-implementedmethod of claim 18, wherein the computation of the second signature isbased on data associated with at least one of: different runtimeoperations of the controller; or a software change for the controller.20. The computer-implemented method of claim 17, wherein the firstsignature is produced by performing a signature operation on theline-of-code behavior and relation model.